Re: NISPOM Auditing
On Tuesday 27 May 2008 10:00:19 corbin wrote:
Can these rules apply to RHEL4 or just RHEL5?
The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4
did. It also has more options in auditctl & kernel to make rules capture just
the required data. Some things you simply can't express in RHEL4. For
example, the ability to audit only users (auid>=500) rather than everything
including daemons. For RHEL4, you can get everything required for NISPOM, but
you depend more on the reduction tools and eat more disk space doing so.
However, I am just exploring the audit.rules settings in RHEL and
wanted to
know if these changes are particular to a specific version of Red Hat.
I believe that RHEL4 has a nispom.rules file also. It has not be updated in
quite a while, but it should be a good starting point. It probably needs
updating for arch=b32 and 64 so that biarch machines get the right syscalls
being audited.
-Steve