Re: Offline configuration
On Friday 25 May 2007 12:23, Robert Evans wrote:
Do I need the latest of
audit-libs-devel
no
kernel as well?
Wouldn't hurt due to security fixes.
Also, what other packages are critical to get NISPOM compliance?
NISPOM seems preoccupied with login/logout, account locking, blacklisting of
terminals, audit trail generation, and audit reports.
The login/logout stuff is covered by pam, login, sshd, and gdm. Account
locking is done by pam_tally2. I don't believe we do blacklisting of
terminals like pam_tally does. And the audit trail is done by the kernel and
audit package. I'd also update password and shadow-utils so that changes to
accounts are audited.
Even when I updated the above packages, it didn't look like
failed logins on
the gnome desktop were generating events. I realize this may be particular
to RHEL_64, but I also figured I could just have an outdated package.
Also, put audit=1 in boot parameters. The latest version of gdm is supposed to
work with audit. There was an issue where the gdm pam configuration was not
right. But it was corrected in the last release.
I'm asking this because when I set up my audit rules on RHEL4_64
with the
base auditing installed (none of the above updates). I wasn't getting any
login/logout events at all, based on my initial experience with the initial
Fedora configurations, I assume that I need to install updated packages.
Yes, I would.
It seems like Steve has put enough information in the event logs that
it is
possible to build a GUI that parses, combines, and then displays the event
logs to the user.
Yes. I believe someone even sent one to this mail list about a year ago. We
are planning to write one later this summer after the audit parsing library
work is settled.
The only gotcha I had with FC5 was that I needed the updated openssh
packages to generate the events that indicated a logout event for ssh.
Yep.
-Steve