On Thu, 10 Feb 2005 13:35:53 EST, Steve Grubb said: > I'm getting closer to releasing the next version of the audit daemon. I'm > wanting to include a file that has sample auditctl rules demonstrating how to > do various things. I'm open to ideas. What common tasks should be included? > Note the file will be installed in the docs directory rather than being the > default ruleset. I can *guarantee* that something you will eventually be asked is: "What auditctl rules do I need to split things into classes equivalent to the Solaris/AIX/Irix (pick one or more) audit classes?" For instance, the current Center for Internet Security benchmark for Solaris recommends: flags:lo,ad,cc naflags:lo,ad,ex (and some tweaking - the 'cc' class is fm+p[cms] minus a few things that tend to flood the log like fcntl and flock). So somebody is going to ask "How do I do the same thing on Linux?".... (Am pressed for time, don't have the Irix pointer handy) Solaris Reference: http://www.sun.com/solutions/blueprints/0201/audit_config.pdf "Auditing in the Solaris 8 Operating Environment," February 2001, by William Osser and Alex Noordergraaf The use of the Solaris auditing system (SunSHIELD Basic Security Module or BSM) has never been well understood. This article presents an auditing configuration optimized for the Solaris 8 environment. The recommended configuration will audit activity on a system without generating gigabytes of data every day. In addition, the audit configuration files are available. For AIX: http://www.redbooks.ibm.com/abstracts/SG246396.html?Open (Especially chapter 2 and appendix A).
Description: PGP signature