Re: no logging of successful events?

[Steve Grubb <sgrubb@redhat.com>]

On Monday 18 August 2008 16:43:19 Brian LaMere wrote:
> -w /etc/auditd.conf
> -w /etc/audit.rules
> -a exit,always -S open -F success=0

Note that openat is being used more and more for secure apps that need to 
ensure that a directory is not switched out during an operation.


> -a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown
> -S lchown -F success!=0
> -a exit,always -S settimeofday -S setrlimit -S setdomainname -S
> sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
> -------------------------------------------------
>
> Was grouping by failed, successful, and both.  Did this due to reading
> that every audit rule is tested for every syscall, which...yeah, makes
> me want to group things.

Yes. You can do that. In the stig.rules file I add a key so that you can see 
exactly what part of the stig is being met whenever you encounter an event. 
And its also because sometimes it takes more than one rule to meet a 
requirement fully.


> That being said, stig.rules is extensive; any warning on what the
> performance impact will be?

No idea. If you have to meet the letter of the law...not a whole lot you can 
do but throw hardware at it. Depending on your situation, you may be able to 
do it with less rules. I wanted to illustrate as complete coverage as 
possible with a real life security target people have to meet. I don't have 
any feedback from disa as to whether or not they like it. :)


> Also, when looking for the newer builds on your site
> http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote
> logging and finishing up IDS/IPS plugin."  That would be wonderously
> fabulous, and I look forward to it.   Any thoughts on whether it will be
> pulled into RHEL5, or whether I'd have to wait until RHEL6?

Remote logging should be in RHEL5.3/Fedora 10. IDS work is in Fedora 9.

-Steve