Re: Audit config for NISPOM req's
On Friday 22 December 2006 08:38, Curtas, Anthony R. wrote:
My main confusion on getting started is the difference between
syscalls
and watches.
Syscalls audit syscalls based on the various parameters accessible during the
syscall. This means that every syscall is affected since it has to be
analyzed to determine if it meets the criteria to trigger or suppress an
audit event. If you use syscalls to audit files, you have to do it by inode.
This is fine for files that do not move. You can also use devmajor/minor to
watch whole disks or devices.
Watches solve the problem by allowing you to audit a file by its name. The
kernel then converts it to inode auditing internally and changes the inode
that is being audited whenever the file is moved/renamed. Watches also do not
affect the performance of every syscall.
It seems watches can do almost all of what I need, but they seem to
be
less "configurable" than the syscalls (like ignoring if root changes
anything).
This is true in RHEL4. RHEL5/FC6 is more configurable.
Can someone explain the difference and where one is more appropriate
than
the other.
Syscalls are appropriate whenever you have something global to audit. Watches
are more appropriate when you are interested in specific files.
-Steve