From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael W Folsom" Subject: Current capabilities Date: Wed, 13 Dec 2006 16:16:27 -0700 Message-ID: <1166051787.6399.23.camel@cisco.sandia.gov> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kBDNG9du015845 for ; Wed, 13 Dec 2006 18:16:09 -0500 Received: from sentry.sandia.gov (mm04snlnto.sandia.gov [132.175.109.21]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id kBDNG8oh002413 for ; Wed, 13 Dec 2006 18:16:09 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List List-Id: linux-audit@redhat.com I've been lurking on this list for a while now and am a bit confused at the current state of audit's capabilities. I've looked at: http://people.redhat.com/sgrubb/audit/ and still aren't sure if it is capable of doing what I need. To get to the point the events I need to record in an audit log are - 1) If someone tries to access an object (file, directory, program) that they don't have rights to the event needs to be recorded 2) if someone logs into a system and su's to another user or series of users their actions need to be traceable to the original login user's id Can this be done with the current audit system in RHEL4 or will this not be supported until RHEL5 is released? Are there any other Linux distro's that can do this? If either of these are true where would I look for information how to get this to work. Thanks!