Here in the defense industry we are very pleased that the current production version of the audit daemon 1.0.3-6 for Enterprise 4 U2 now has the functionality to capture user defined audit events ( such as, auditctl -w /etc/passwd -k passwd -p wa ).
This audit capture ability is crucial to satisfy our auditing requirements for the NISPOM Chapter 8, which we must do. Prior to this we have had to rely on the third party product 'Snare' to capture audit events on what the NISPOM calls 'Security Relevant Objects'. But as you may know 'Snare' requires its own audit daemon, not a good thing for us because it requires a modified kernel.
But back to the native audit daemon 1.0.3-6, what we have found is that both the user defined audit events, using auditctl, and the default audit events, coded in the audit daemon?, are both written to the same log file /var/log/audit/audit.log by default. This combining of all audit events into one log is not our preference because the audit events required to satisfy NISPOM Chapter 8 are not the same requirements of CAPP auditing. The CAPP default audit events are not at all needed for NISPOM Chapter 8 and actually makes it harder to filter and manage the audit.log.
What we would like to see added to audit package is the ability to log the default CAPP audit events and the user defined audit events to separate log files. We would be pleased if you would consider making this change.
Lockheed Martin Missiles and Fire Control - Orlando, SCOC
desk(paged): (407)356-4959 pager: (407)981-8177