From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kirkwood, David A" Subject: Chronological audit logs Date: Tue, 28 Nov 2006 16:06:31 -0500 Message-ID: <954E3479CC27224785179CA04904214D04336D07@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2083915501==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kASL7DfU024461 for ; Tue, 28 Nov 2006 16:07:13 -0500 Received: from mclmx2.mail.saic.com (IDENT:U2FsdGVkX1/5X+6mxqtQf6x5B/pOY9sjOeJ3OVoJ0p0@mclmx2.mail.saic.com [149.8.64.32]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id kASL76ah021371 for ; Tue, 28 Nov 2006 16:07:06 -0500 Received: from 0015-its-ieg01.mail.saic.com ([149.8.64.21] [149.8.64.21]) by mclmx2.mail.saic.com for Linux-audit@redhat.com; Tue, 28 Nov 2006 16:06:50 -0500 Received: from 0015-ITS-EXBH01.us.saic.com ([10.43.229.18]) by 0015-its-ieg01.mail.saic.com (SMSSMTP 4.0.5.66) with SMTP id M2006112816065013853 for ; Tue, 28 Nov 2006 16:06:50 -0500 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============2083915501== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C71331.14F7FA2F" This is a multi-part message in MIME format. ------_=_NextPart_001_01C71331.14F7FA2F Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Can someone tell me how I can generate a chronological listing between 2 dates of all the issues I have designated to watch in the audit capabilities of the system? I need to get a system with audit capability sufficiently palatable to the Defense Department for classified use. I currently use Sun workstations and generate the audit logs via praudit and was looking for some way to set up simaller archived weekly audit logs. =20 Thanks, =20 David A. Kirkwood SAIC david.a.kirkwood@saic.com kirkwoodd@saic.com Phone: (727) 502-8310 Fax: (727) 822-7776=20 =20 ------_=_NextPart_001_01C71331.14F7FA2F Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Can someone tell me how I can generate a = chronological listing between 2 dates of all the issues

I have designated to watch in the audit capabilities = of the system? I need to get a system with audit

capability sufficiently palatable to the Defense = Department for classified use. I currently use Sun

workstations and generate the audit logs via praudit = and was looking for some way to set up simaller

archived weekly audit = logs.

 

Thanks,

 

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

 

------_=_NextPart_001_01C71331.14F7FA2F-- --===============2083915501== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2083915501==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Smalley Subject: Re: Chronological audit logs Date: Tue, 28 Nov 2006 16:20:51 -0500 Message-ID: <1164748851.23019.134.camel@moss-spartans.epoch.ncsc.mil> References: <954E3479CC27224785179CA04904214D04336D07@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kASLQBxk032075 for ; Tue, 28 Nov 2006 16:26:11 -0500 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id kASLPeDe025631 for ; Tue, 28 Nov 2006 16:25:41 -0500 In-Reply-To: <954E3479CC27224785179CA04904214D04336D07@0668-its-exmp01.us.saic.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Kirkwood, David A" Cc: Linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2006-11-28 at 16:06 -0500, Kirkwood, David A wrote: > Can someone tell me how I can generate a chronological listing between > 2 dates of all the issues > > I have designated to watch in the audit capabilities of the system? /sbin/ausearch -i -ts "starting date" -te "ending date" And of course you can use the other options of ausearch to refine that listing as desired. > I need to get a system with audit > > capability sufficiently palatable to the Defense Department for > classified use. I currently use Sun > > workstations and generate the audit logs via praudit and was looking > for some way to set up simaller > > archived weekly audit logs. -- Stephen Smalley National Security Agency From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Chronological audit logs Date: Tue, 28 Nov 2006 16:36:19 -0500 Message-ID: <200611281636.20099.sgrubb@redhat.com> References: <954E3479CC27224785179CA04904214D04336D07@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <954E3479CC27224785179CA04904214D04336D07@0668-its-exmp01.us.saic.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Kirkwood, David A" List-Id: linux-audit@redhat.com On Tuesday 28 November 2006 16:06, Kirkwood, David A wrote: > Can someone tell me how I can generate a chronological listing between 2 > dates of all the issues I have designated to watch in the audit capabilities > of the system? ausearch -ts date1 -te date2 > I currently use Sun workstations and generate the audit logs via praudit and > was looking for some way to set up simaller archived weekly audit logs. You would need to setup a cron job to do the weekly rotation if that is what you want. There is a sample cron script, auditd.cron, that you can use as a starting point. The normal rotation is by size in order to fit more data onto your drives. -Steve