On Thu, 10 Feb 2005 13:35:53 EST, Steve Grubb said:
I'm getting closer to releasing the next version of the audit
daemon. I'm
wanting to include a file that has sample auditctl rules demonstrating how to
do various things. I'm open to ideas. What common tasks should be included?
Note the file will be installed in the docs directory rather than being the
default ruleset.
I can *guarantee* that something you will eventually be asked is:
"What auditctl rules do I need to split things into classes equivalent to
the Solaris/AIX/Irix (pick one or more) audit classes?"
For instance, the current Center for Internet Security benchmark for Solaris recommends:
flags:lo,ad,cc
naflags:lo,ad,ex
(and some tweaking - the 'cc' class is fm+p[cms] minus a few things that tend
to flood the log like fcntl and flock). So somebody is going to ask "How do I
do the same thing on Linux?"....
(Am pressed for time, don't have the Irix pointer handy)
Solaris Reference:
http://www.sun.com/solutions/blueprints/0201/audit_config.pdf
"Auditing in the Solaris 8 Operating Environment," February 2001, by William
Osser and Alex Noordergraaf The use of the Solaris auditing system (SunSHIELD
Basic Security Module or BSM) has never been well understood. This article
presents an auditing configuration optimized for the Solaris 8 environment. The
recommended configuration will audit activity on a system without generating
gigabytes of data every day. In addition, the audit configuration files are
available.
For AIX:
http://www.redbooks.ibm.com/abstracts/SG246396.html?Open
(Especially chapter 2 and appendix A).