[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit log for user defines



On Friday 28 October 2005 08:19, Call, Tom H wrote:
> This audit capture ability is crucial to satisfy our auditing
> requirements for the NISPOM Chapter 8, which we must do.
>
>  But back to the native audit daemon 1.0.3-6, what we have found is that
> both the user defined audit events, using auditctl, and the default
> audit events, coded in the audit daemon?,  are both written to the same
> log file /var/log/audit/audit.log by default. 

Yes. But you can separate them with the ausearch command. Basically, you just 
want to find your events. It doesn't matter where they are located.

> This combining of all audit events into one log is not our preference
> because the audit events required to satisfy NISPOM Chapter 8 are not the
> same requirements of CAPP auditing.

This means you would need to create an /etc/audit.rules file tweaked for 
NISPOM.

> The CAPP default audit events are not at all needed for NISPOM Chapter 8 and
> actually makes it harder to filter and manage the audit.log.

See above. I would like to provide a nispom.rules file in the contrib section. 
If you want to work together on that, let me know.

>  What we would like to see added to audit package is the ability to log
> the default CAPP audit events and the user defined audit events to
> separate log files. We would be pleased if you would consider making
> this change.

How about the above? Let's make a config that works for you.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]