Appreciate the comments. FYI, MAC means Mission Assurance Category
Another note on the auditing. While it is broken on Leopard, it works pretty darn well on Snow Leopard. My one complaint is that the auditing configuration (the flags settings) that I was told is recommended, much like the STIG audit setting for 10.5, misses what I think are really useful information necessary for understanding the audit records (e.g., which programs are accessing a file) and analyzing attacks (like APTs and insider threats like the Wikileaks issues).
For example, process creation, authentication events, and network activity seem like important things for auditing. And if you add file reads and writes, you can really do some cool stuff (this is true for Windows as well).
Here are some links showing the capabilities that adding these flags can provide:
For Snow Leopard:
A Few More Flags - Abridged Version
A Few More Flags (very long version, ~22 minutes) (requires quicktime)
For Windows (Windows 7 and Windows Server 2008 R2)
The Case of the Swift
General auditing introduction
I Have Bad People
Todd
|