Re: Audit config for NISPOM req's

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 09:19:52 -0500	[thread overview]
Message-ID: <200612220919.53199.sgrubb@redhat.com> (raw)
In-Reply-To: <954E3479CC27224785179CA04904214D1416CC@0668-its-exmp01.us.saic.com>

On Friday 22 December 2006 08:38, Curtas, Anthony R. wrote:
> My main confusion on getting started is the difference between syscalls
> and watches.

Syscalls audit syscalls based on the various parameters accessible during the 
syscall. This means that every syscall is affected since it has to be 
analyzed to determine if it meets the criteria to trigger or suppress an 
audit event. If you use syscalls to audit files, you have to do it by inode. 
This is fine for files that do not move. You can also use devmajor/minor to 
watch whole disks or devices.

Watches solve the problem by allowing you to audit a file by its name. The 
kernel then converts it to inode auditing internally and changes the inode 
that is being audited whenever the file is moved/renamed. Watches also do not 
affect the performance of every syscall.

> It seems watches can do almost all of what I need, but they seem to be
> less "configurable" than the syscalls (like ignoring if root changes
> anything).

This is true in RHEL4. RHEL5/FC6 is more configurable.

> Can someone explain the difference and where one is more appropriate than
> the other.

Syscalls are appropriate whenever you have something global to audit. Watches 
are more appropriate when you are interested in specific files.

-Steve

next prev parent reply	other threads:[~2006-12-22 14:19 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-22 13:38 Audit config for NISPOM req's Curtas, Anthony R.
2006-12-22 14:19 ` Steve Grubb [this message]
2006-12-22 15:08   ` Curtas, Anthony R.
2006-12-22 15:33     ` Steve Grubb
2006-12-22 16:22       ` Wieprecht, Karen M.
2006-12-22 16:25         ` Steve Grubb
2007-01-11 19:18       ` Wieprecht, Karen M.
2007-01-11 19:42         ` Steve Grubb
2007-01-12 16:09         ` Kirkwood, David A.
2007-01-12 16:38           ` Steve Grubb
2007-01-12 18:45             ` Kirkwood, David A.
2007-01-12 19:49               ` Steve Grubb
2007-01-16 15:51                 ` Kirkwood, David A.
2007-01-16 16:15                   ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200612220919.53199.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=ANTHONY.R.CURTAS@saic.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox