Re: question

I am actually using the suggested parameters from the STIG for UNIX guide. I have searched and found the stig.rules on the internet and we are going to try them. I also saw the nispom.rules but apparently they are for Red hat 5 Kernel 2.6.25 it says in the file? We are not using keying but will once we get the stig.rules installed they appear to be using the -k flag. We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is there a compelling reason to update to the 1.0.16 version of audit?. Thanks Steve. On Sunday 02 November 2008 21:42:47 David Flatley wrote: Are you using the stig.rules from the audit package or something else? If I were you, I'd spend some time making sure your rules are tuned. Assuming that you have keys on you rules, you can run a key report to see what is causing you the most events: aureport --start this-week --key --summary. Then you'd want to dig into some of those records and see what kinds of things are happening. Assuming you have a key of delete and you wanted to see what syscalls are the most often logged: ausearch --start this-week -k delete --raw | aureport --syscall --summary -i Assuming that shows unlinkat the most prevalent syscall: ausearch --start this-week -k delete -sc unlinkat --raw | aureport --user --summary -i And so on until you see what is causing so much logging. This doesn't help with the archiving, but could help you get the right audit data recorded. -Steve