From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mario Chancay Subject: Auditing in old versions of Linux Date: Tue, 30 Mar 2010 08:32:35 -0700 (PDT) Message-ID: <27921.42909.qm@web45214.mail.sp1.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3895585157725396753==" Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.10]) by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2UFWq12007007 for ; Tue, 30 Mar 2010 11:32:52 -0400 Received: from web45214.mail.sp1.yahoo.com (web45214.mail.sp1.yahoo.com [68.180.197.167]) by mx1.redhat.com (8.13.8/8.13.8) with SMTP id o2UFWdVZ025369 for ; Tue, 30 Mar 2010 11:32:39 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============3895585157725396753== Content-Type: multipart/alternative; boundary="0-2024728433-1269963155=:42909" --0-2024728433-1269963155=:42909 Content-Type: text/plain; charset=us-ascii Due to technical and budget constrains, we are not yet able to migrate some old linux boxes to the latest versions but need to configure auditing under the following platforms : - Red Hat Linux Enterprise AS 3.4, 3.5, 3.6 - Red Hat Linux 4.x Need advice to confirm if auditing is possible under this versions and also the recommended procedure to install/setup as I understand that the auditd package depends on the kernel version. Regards Mario --0-2024728433-1269963155=:42909 Content-Type: text/html; charset=us-ascii

Due to technical and budget constrains, we are not yet able to migrate some old linux boxes to the latest versions but need to configure auditing under the following platforms :

- Red Hat Linux Enterprise AS 3.4, 3.5, 3.6
- Red Hat Linux 4.x

Need advice to confirm if auditing is possible under this versions and also the recommended procedure to install/setup as I understand that the auditd package depends on the kernel version.

Regards

Mario

--0-2024728433-1269963155=:42909-- --===============3895585157725396753== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3895585157725396753==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ray Pittigher Subject: Re: Auditing in old versions of Linux Date: Tue, 30 Mar 2010 12:07:41 -0400 Message-ID: <4BB221CD.8080609@itt.com> References: <27921.42909.qm@web45214.mail.sp1.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.8]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2UG86dY029689 for ; Tue, 30 Mar 2010 12:08:06 -0400 Received: from cip-fwa-c2.itt.com (cip-fwa-c2.itt.com [151.190.252.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2UG7oDx024595 for ; Tue, 30 Mar 2010 12:07:52 -0400 In-Reply-To: <27921.42909.qm@web45214.mail.sp1.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Mario Chancay Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com You can use SNARE. On 03/30/2010 11:32 AM, Mario Chancay wrote: > Due to technical and budget constrains, we are not yet able to migrate > some old linux boxes to the latest versions but need to configure > auditing under the following platforms : > > - Red Hat Linux Enterprise AS 3.4, 3.5, 3.6 > - Red Hat Linux 4.x > > Need advice to confirm if auditing is possible under this versions and > also the recommended procedure to install/setup as I understand that the > auditd package depends on the kernel version. > > Regards > > Mario > This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Woodie, Paul E, CIV, DSS" Subject: RE: Auditing in old versions of Linux Date: Tue, 30 Mar 2010 12:58:26 -0400 Message-ID: <4F8BCA5FEFD55F438B1876BF0A5AAF860175DAF3@penryn.ds.dss.mil> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.9]) by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2UGwhjF010966 for ; Tue, 30 Mar 2010 12:58:43 -0400 Received: from BPEXCHFS02.ds.dss.mil (net1.dss.mil [207.132.243.1]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2UGwSbV000520 for ; Tue, 30 Mar 2010 12:58:28 -0400 Content-class: urn:content-classes:message In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com There is an audit package called Snare, which would make possible auditing on previous versions of linux. It worked well. Unfortunately, that also required (usually) modified versions of the kernel. Perhaps you can find some of those components. I have not used Snare in quite a while. Paul Woodie, CISSP, IAM -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of linux-audit-request@redhat.com Sent: Tuesday, March 30, 2010 12:00 PM To: linux-audit@redhat.com Subject: Linux-audit Digest, Vol 66, Issue 12 Importance: Low Send Linux-audit mailing list submissions to linux-audit@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/linux-audit or, via email, send a message with subject or body 'help' to linux-audit-request@redhat.com You can reach the person managing the list at linux-audit-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..." Today's Topics: 1. Auditing in old versions of Linux (Mario Chancay) ---------------------------------------------------------------------- Message: 1 Date: Tue, 30 Mar 2010 08:32:35 -0700 (PDT) From: Mario Chancay To: linux-audit@redhat.com Subject: Auditing in old versions of Linux Message-ID: <27921.42909.qm@web45214.mail.sp1.yahoo.com> Content-Type: text/plain; charset="us-ascii" Due to technical and budget constrains, we are not yet able to migrate some old linux boxes to the latest versions but need to configure auditing under the following platforms : - Red Hat Linux Enterprise AS 3.4, 3.5, 3.6 - Red Hat Linux 4.x Need advice to confirm if auditing is possible under this versions and also the recommended procedure to install/setup as I understand that the auditd package depends on the kernel version. Regards Mario -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit End of Linux-audit Digest, Vol 66, Issue 12 ******************************************* From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ray Pittigher Subject: Re: Auditing in old versions of Linux Date: Tue, 30 Mar 2010 13:03:37 -0400 Message-ID: <4BB22EE9.30803@itt.com> References: <4F8BCA5FEFD55F438B1876BF0A5AAF860175DAF3@penryn.ds.dss.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.9]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2UH3nJV013966 for ; Tue, 30 Mar 2010 13:03:49 -0400 Received: from cip-fwa-c2.itt.com (cip-fwa-c2.itt.com [151.190.252.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2UH3drb001409 for ; Tue, 30 Mar 2010 13:03:40 -0400 In-Reply-To: <4F8BCA5FEFD55F438B1876BF0A5AAF860175DAF3@penryn.ds.dss.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Woodie, Paul E, CIV, DSS" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com What kind of auditing and/or lock downs do you use at DSS? On 03/30/2010 12:58 PM, Woodie, Paul E, CIV, DSS wrote: > There is an audit package called Snare, which would make possible > auditing on previous versions of linux. It worked well. Unfortunately, > that also required (usually) modified versions of the kernel. Perhaps > you can find some of those components. I have not used Snare in quite a > while. > > > Paul Woodie, CISSP, IAM > > -----Original Message----- > From: linux-audit-bounces@redhat.com > [mailto:linux-audit-bounces@redhat.com] On Behalf Of > linux-audit-request@redhat.com > Sent: Tuesday, March 30, 2010 12:00 PM > To: linux-audit@redhat.com > Subject: Linux-audit Digest, Vol 66, Issue 12 > Importance: Low > > Send Linux-audit mailing list submissions to > linux-audit@redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/linux-audit > or, via email, send a message with subject or body 'help' to > linux-audit-request@redhat.com > > You can reach the person managing the list at > linux-audit-owner@redhat.com > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of Linux-audit digest..." > > > Today's Topics: > > 1. Auditing in old versions of Linux (Mario Chancay) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 30 Mar 2010 08:32:35 -0700 (PDT) > From: Mario Chancay > To: linux-audit@redhat.com > Subject: Auditing in old versions of Linux > Message-ID:<27921.42909.qm@web45214.mail.sp1.yahoo.com> > Content-Type: text/plain; charset="us-ascii" > > Due to technical and budget constrains, we are not yet able to migrate > some old linux boxes to the latest versions but need to configure > auditing under the following platforms : > > - Red Hat Linux Enterprise AS 3.4, 3.5, 3.6 > - Red Hat Linux 4.x > > Need advice to confirm if auditing is possible under this versions and > also the recommended procedure to install/setup as I understand that the > auditd package depends on the kernel version. > > Regards > > Mario > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > 02/attachment.html> > > ------------------------------ > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > > End of Linux-audit Digest, Vol 66, Issue 12 > ******************************************* > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Ray Pittigher Software Development Environment Department --phone 973-284-2275 --pager 973-880-0224 --email raymond.pittigher@itt.com --wireless email 9738800224@archwireless.net http://acdnjpvcs/tmtrack/tmtrack.dll for all your SDE Support needs I'm sure Vista is wonderful. I'm sure XBox is great, too. A Microsoft person said so. This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditing in old versions of Linux Date: Tue, 30 Mar 2010 13:20:18 -0400 Message-ID: <201003301320.18916.sgrubb@redhat.com> References: <27921.42909.qm@web45214.mail.sp1.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <27921.42909.qm@web45214.mail.sp1.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 30 March 2010 11:32:35 am Mario Chancay wrote: > Due to technical and budget constrains, we are not yet able to migrate some > old linux boxes to the latest versions but need to configure auditing > under the following platforms : > > - Red Hat Linux Enterprise AS 3.4, 3.5, 3.6 > - Red Hat Linux 4.x Yes it is possible, but the auditing mechanisms are different. Both are common criteria certified. One of the requirements for common criteria is auditing. > Need advice to confirm if auditing is possible under this versions and also > the recommended procedure to install/setup as I understand that the auditd > package depends on the kernel version. That is a longer topic. There are documents available in the cert rpm that may be able to help answer how you should set it up. ftp://ftp.redhat.com/pub/redhat/linux/eal/ -Steve