[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux audit for Debian

On Tuesday 21 February 2006 13:44, Michael Fecina wrote:
> I understand that the distribution used is Redhat, and given this Debian
> topic, I'd like to ask what the major changes would be to make this
> available in Debian.  A kernel patch, 

You will likely need the file system auditing patch which is still being 
developed. The RHEL4 kernel has a patch that lets it meet NISPOM but needed 
rework to get upstream acceptance.

> some header changes, 

Not really, libaudit.h takes care of a lot of it.

> and the client  (user-space) tools?

Yes, you need to do some patching here and configuring. NISPOM seems mostly 
concerned with login/logout, file access, blacklisting of accounts/terminals, 
and audit reports.

The login/logout...we patched sshd, login, and gdm to provide the right audit 
events. These are also pamified and have the pam_loginuid module added to 
their config. Pam itself is modified to provide audit records. I think we've 
submitted that upstream, but not 100% sure. If not, we intended it to go 
upstream for everyone to use.

Blacklisting is done with pam_tally. It has been updated to provide anomaly 
records when it blacklists an account.

As for audit reports, aureport was designed to meet this. It can be scripted 
and put into a cron job.

There have been ABI changes in libaudit. If you use FC4 as a model...you want 
the audit-1.0.14 package. If you use FC5 as a model, you want audit-1.1.4. 
You cannot mix and match audit packages and trusted app patches.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]