- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hello,
I'm interested in defining a set of audit rules/watches that, when
loaded, cause audit to generate the set of auditable events required
by CAPP (CAPP, pp. 19-21).
I've consulted a variety of sources, including the CAPP specification
itself, the LAuS design document, and the LAuS filter.conf file
provided with our CAPP certification RPM. From that, I have a
configuration I believe to be fairly complete. However, the sources
seem to be in conflict on some parts, and none are a definitive
technical specification.
Is there a follow-on to the CAPP spec that provides a definitive
technical specification of the auditable events for linux 2.6; for
instance, by listing the specific system calls?
Thanks,
Amy
On Monday 18 July 2005 11:55, Amy Griffis wrote:
I'm interested in defining a set of audit rules/watches that,
when
loaded, cause audit to generate the set of auditable events required
by CAPP (CAPP, pp. 19-21).
I am interested in packaging something in a contrib directory. Maybe we can
all help in this so there is a base line that can be tweeked for a particular
security target.
I've consulted a variety of sources, including the CAPP
specification
itself, the LAuS design document, and the LAuS filter.conf file
provided with our CAPP certification RPM. From that, I have a
configuration I believe to be fairly complete.
Great. I would be interested in seeing the config. Maybe others can comment on
them. There is the issue of per arch syscall differences. I had hoped that
someone somewhere would have started trying to actually use the audit system
for a real CAPP style config. I think we would have heard from them on this
and other issues regarding usability.
Is there a follow-on to the CAPP spec that provides a definitive
technical specification of the auditable events for linux 2.6; for
instance, by listing the specific system calls?
No. This would be spelled out in the security target. I would imagine that all
of the files in /etc that involve user accounts, machine identity, and
certain config files would have a watch. I also think that syscalls won't be
used too much except as related to a specific inode. Syscalls that set the
machine name or time would probably be audited, but I think that's all.
-Steve
7096
days inactive
7096
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
tags (0)
participants (2)
-
Amy Griffis -
Steve Grubb