[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

CAPP Auditing with RHEL-4 U2

We are needing to get CAPP auditing working before we can seriously
use Red Hat Enterprise 4. We had looked at using SNARE before U2 but
saw that CAPP was added to the U2 beta.

The instructions were a bit bare (i probably missed the obvious ones).
I copied over the capp.rules to /etc/audit.rules and restarted the
auditd. On our other systems if I do similar things and then do a 'cat
/etc/shadow', I see a dmesg statement saying that I have been a bad
boy.  Nothing with this version of audit

I looked in /var/log/audit/audit.log.. nothing about me trying to open
the file that I could see. An ausearch shows some action, but nothing
as explicite as when I try to do something selinux says is bad.

So what I am wondering is:

1) what extra capabilities will auditd have (syslog, logwatch support, etc?)
2) what steps did I miss (do I need a supplemental Selinux strict for the box?)
3) what can I do to better help this project?

I have a set of boxes that need to meet CAPP auditing soon or will
have to restart the process with SuSE and laus.

Stephen J Smoogen.
CSIRT/Linux System Administrator

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]