[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: looking for help in coming up to speed with auditd



On Wednesday, March 09, 2011 06:33:30 am larry erdahl usbank com wrote:
> I'm new to auditd, and have been assign to come up with a "best practice"
> standard for the deployment and audit settings for Linux servers using
> auditd,  Other then the man pages does anyone have any suggestions for
> "best practices", books or training courses that would help me get a
> better understanding of auditd and its syntax?

There is a audit.rules man page that discusses some ideas about how to conduct and 
investigation. Being able to do an investigation depends on the rules you give the 
audit system. If you don't have a watch on a document that you really care about, then 
you might get an event showing someone accessed it. 

The rules are essentially the same as auditctl without its name. So, you can look at 
its man page to get an idea of its syntax. I also would not start writing an 
audit.rules file from scratch. There are 3 or 4 sample rule files in the package. I 
would start with one of them and customize it to your needs. The stig.rules file is 
probably the best one to start with.

As for additional information I have a couple presentations here:
http://people.redhat.com/sgrubb/audit/
that might be useful. Also you can look at the NSA SNAC guide for RHEL5 which should 
have some discussion about the audit system.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]