Hello,
Here in the defense industry we are very pleased that the current
production version of the audit daemon 1.0.3-6 for Enterprise 4 U2 now
has the functionality to capture user defined audit events ( such as,
auditctl -w /etc/passwd -k passwd -p wa ).
This audit capture ability is crucial to satisfy our auditing
requirements for the NISPOM Chapter 8, which we must do. Prior to this
we have had to rely on the third party product 'Snare' to capture audit
events on what the NISPOM calls 'Security Relevant Objects'. But as you
may know 'Snare' requires its own audit daemon, not a good thing for us
because it requires a modified kernel.
But back to the native audit daemon 1.0.3-6, what we have found is that
both the user defined audit events, using auditctl, and the default
audit events, coded in the audit daemon?, are both written to the same
log file /var/log/audit/audit.log by default. This combining of all
audit events into one log is not our preference because the audit events
required to satisfy NISPOM Chapter 8 are not the same requirements of
CAPP auditing. The CAPP default audit events are not at all needed for
NISPOM Chapter 8 and actually makes it harder to filter and manage the
audit.log.
What we would like to see added to audit package is the ability to log
the default CAPP audit events and the user defined audit events to
separate log files. We would be pleased if you would consider making
this change.
Thanks!
Tom Call
Lockheed Martin Missiles and Fire Control - Orlando, SCOC
desk(paged): (407)356-4959 pager: (407)981-8177