Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- Subject: Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- From: Stacey Son <email@hidden>
- Date: Mon, 1 Nov 2010 16:54:42 -0500
On Oct 28, 2010, at 2:40 PM, Dan O'Donnell wrote:
> On 10/28/10 12:37 PM, "DeMattia, Edmond G." <email@hidden>
> wrote:
>
>> I added the flags you have listed below to /etc/security/audit_control (most
>> were already there) and executed audit -s to re-read the configuration.
>>
>> I then switched to a normal user account and tried to touch /etc/passwd and
>> received a "permission denied" as expected.
>
> audit -n To close the current audit file and start a new one.
>
>> Then I executed praduit -l /var/audit/the_current_audit_file but didn't see
>> a line with the failed attempt by the normal user. I even did a auditreduce
>> -e username /var/audit/ the_current_audit_file and didn't get a positive
>> result. Nothing was returned.
>>
>> Any ideas?
>
> praudit and auditreduce will not work on an open audit file.
You can actually use praudit on an open audit trail file using the '-p' option:
% sudo tail -f /var/audit/current | praudit -p
This option is handy for watch the audit information coming out of the audit pipe device (Mac OS X 10.6) as well:
% sudo praudit -p /dev/auditpipe
I prefer using the auditpipe device since the trail, in previous example, can be rotated while you are watching it.
As for adding new flags to /etc/security/audit_control please note there are two sets of flags that should be updated: "flags" and "naflags". The latter is for "non attributed" events or events that can't be attributed to a specific user. Make sure you update both.
Hope this helps,
-stacey.
----
Stacey Son
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden