* VERY basic question
@ 2014-02-10 19:20 Margaret M Sanders
2014-02-11 13:57 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Margaret M Sanders @ 2014-02-10 19:20 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 824 bytes --]
Hi all. I 've been lurking around, listening for things I can use...but I'm not where you guys are at in terms of auditing. I still have a requirement, however.
So, help me to understand a very basic functioning of Linux (I imagine its basic).
In a standalone system:
How in the world do I capture, create and save human readable reports and then clear audit logs.
Which BASIC /var/log should every accidental sysad (like myself) be capturing?
I know where to put the audit rules, but at this point, I'm just sort of following instructions for that without any real sense of understanding. The farthest I've gotten is -w means watch.
If you guys would take a moment to ask such a rudimentary question, I might be able to move past go.
Thank you for your time.
Margaret M. Sanders
SwRI ISSO/ATA
[-- Attachment #1.2: Type: text/html, Size: 3175 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: VERY basic question
2014-02-10 19:20 VERY basic question Margaret M Sanders
@ 2014-02-11 13:57 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2014-02-11 13:57 UTC (permalink / raw)
To: linux-audit; +Cc: Margaret M Sanders
On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote:
> In a standalone system:
>
> How in the world do I capture, create and save human readable reports and
> then clear audit logs.
aureport is a good starting point. As for what you want out of it...that would
depend on your security policy and threat model. For example, I put key labels
on all rules. So, the main thing I want to see is the key summary report so
that I have a general idea of what is going on with the system. Based on that,
I then look closer at events with certain keys. For others, its different. I
have seen in the past perl scripts that run several aureport commands and
formats it into a report. But there really isn't a consensus on what a
standard report would be.
> Which BASIC /var/log should every accidental sysad (like myself) be
> capturing?
>
> I know where to put the audit rules, but at this point, I'm just sort of
> following instructions for that without any real sense of understanding.
> The farthest I've gotten is -w means watch.
>
> If you guys would take a moment to ask such a rudimentary question, I might
> be able to move past go.
The audit.rules man page has some tips and pointers for rules and
investigations. There is also some documentation here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html
and other distributions have documentation you can look at as well. Try "linux
audit documentation" as a search to find more.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-02-11 13:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-10 19:20 VERY basic question Margaret M Sanders
2014-02-11 13:57 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox