From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: New to audit. Need help configuring audit to meet NISPOM req's
Date: Tue, 27 Feb 2007 22:00:50 -0500 [thread overview]
Message-ID: <200702272200.50859.sgrubb@redhat.com> (raw)
In-Reply-To: <C448EC7056762442858D09FC8380D112981E90@XCGC3008.northgrum.com>
On Tuesday 27 February 2007 03:25:18 Fields, Randy (Space Technology) wrote:
> Here are the list of items that I need to accomplish and I greatly
> appreciate any help that you can provide. 1) I need to configure a test box
> to meet NISPOM audit requirements. (any examples of /etc/auditd.conf and
> /etc/audit.rules would be great) 2) Then test it by acting as a user and
> trying to access files such as /etc/passwd and /etc/shadow. 3) Then report
> that data to prove to auditors that the tool is collecting the events.
I'd like to include a generic NISPOM configuration in the next set of audit
packages. Can anyone share some of their contents? I could take a guess at
it, but would rather have something that has gone through review. I am not
wanting your site sensitive file locations, but generally this:
1) any syscall auditing you turned on
2) any files you needed to audit in /etc that are not site sensitive
3) any files in /var that needed to audit.
I think all other pieces of the audit system are embedded in the appropriate
utilities so audit message generation is automatic. The report tool created
to meet NISPOM is aureport.
Send it to me privately if you do not want your email address public. I would
appreciate the help...and so would other people in the linux-audit community.
Thanks,
-Steve
next prev parent reply other threads:[~2007-02-28 2:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-27 8:25 New to audit. Need help configuring audit to meet NISPOM req's Fields, Randy (Space Technology)
2007-02-28 3:00 ` Steve Grubb [this message]
2007-02-28 11:02 ` Johnston Mark (UK)
2007-02-28 11:07 ` Syscalls Johnston Mark (UK)
2007-02-28 11:43 ` Syscalls Steve Grubb
2007-02-28 12:23 ` Syscalls Johnston Mark (UK)
2007-02-28 12:25 ` Syscalls Marcus Meissner
2007-02-28 13:28 ` Syscalls Steve Grubb
2007-02-28 14:53 ` Syscalls Valdis.Kletnieks
2007-02-28 15:25 ` Syscalls Steve Grubb
2007-02-28 19:24 ` Syscalls James W. Hoeft
2007-02-28 15:17 ` Syscalls Steve Grubb
2007-03-01 2:41 ` Syscalls Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702272200.50859.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox