On Wednesday 25 November 2009 11:57:10 am Starr-Renee Corbin wrote:
I am required (by NISPOM) to audit access to security related files.
I am essentially using the nispom audit.rules provided by rhel5 to
accomplish this.
However, some of my systems are capturing access to /etc/shadow and
some of my systems are not (when looking in /var/log/audit/audit.log.
I guess the questions are:
what kernels?
what audit packages?
Are both the same arch?
How are you testing that one is not being recorded when it should?
-Steve