From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit Log not capturing access to security related files
Date: Mon, 30 Nov 2009 13:37:30 -0500
Message-ID: <200911301337.30451.sgrubb@redhat.com>
References: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 25 November 2009 11:57:10 am Starr-Renee Corbin wrote:
> I am required (by NISPOM) to audit access to security related files.
> I am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
> 
> However, some of my systems are capturing access to /etc/shadow and
> some of my systems are not (when looking in /var/log/audit/audit.log.

I guess the questions are:

what kernels?
what audit packages?
Are both the same arch?
How are you testing that one is not being recorded when it should?

-Steve