I am actually using the suggested parameters from the STIG for UNIX guide. I have searched and found
the stig.rules on the internet and we are going to try them. I also saw the nispom.rules but apparently they are
for Red hat 5 Kernel 2.6.25 it says in the file? We are not using keying but will once we get the stig.rules installed
they appear to be using the -k flag.
We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is there a compelling reason to update to the
1.0.16 version of audit?
Thanks Steve.

Inactive hide details for Steve Grubb <sgrubb@redhat.com>Steve Grubb <sgrubb@redhat.com>



On Sunday 02 November 2008 21:42:47 David Flatley wrote:
> Presently I am using the S.T.I.G. recommendations but I may
> have to use more extensive rules which I am in the process of testing.

Are you using the stig.rules from the audit package or something else? If I
were you, I'd spend some time making sure your rules are tuned. Assuming that
you have keys on you rules, you can run a key report to see what is causing
you the most events: aureport --start this-week --key --summary.

Then you'd want to dig into some of those records and see what kinds of things
are happening. Assuming you have a key of delete and you wanted to see what
syscalls are the most often logged:

ausearch --start this-week -k delete --raw | aureport --syscall --summary -i

Assuming that shows unlinkat the most prevalent syscall:

ausearch --start this-week -k delete -sc unlinkat --raw |
aureport --user --summary -i

And so on until you see what is causing so much logging. This doesn't help
with the archiving, but could help you get the right audit data recorded.

-Steve