From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: NISPOM Auditing Date: Tue, 27 May 2008 10:19:25 -0400 Message-ID: <200805271019.26172.sgrubb@redhat.com> References: <200805271400.m4RE0III031345@ns5.arlut.utexas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200805271400.m4RE0III031345@ns5.arlut.utexas.edu> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: corbin Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 27 May 2008 10:00:19 corbin wrote: > Can these rules apply to RHEL4 or just RHEL5? The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4 did. It also has more options in auditctl & kernel to make rules capture just the required data. Some things you simply can't express in RHEL4. For example, the ability to audit only users (auid>=500) rather than everything including daemons. For RHEL4, you can get everything required for NISPOM, but you depend more on the reduction tools and eat more disk space doing so. > However, I am just exploring the audit.rules settings in RHEL and wanted to > know if these changes are particular to a specific version of Red Hat. I believe that RHEL4 has a nispom.rules file also. It has not be updated in quite a while, but it should be a good starting point. It probably needs updating for arch=b32 and 64 so that biarch machines get the right syscalls being audited. -Steve