Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- Subject: Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- From: "Dan O'Donnell" <email@hidden>
- Date: Mon, 25 Oct 2010 08:50:51 -0700
- Thread-topic: [Fed-Talk] How to configure auditing for use in a Closed Area
For definitive configurations check with your DAA or govt representative.
However...
If you are configuring BSM (10.5) and OpenBSM (10.6) for NISPOM PL1, then
you'll want to start with audit flags of: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl.
To do this use your preferred text editor (vi, BBEdit, TextEdit, whatever)
and modify the following:
1. In etc/security make a copy of audit_control and name one or the other
audit_control.orig
2. Edit the working /etc/security/audit_control to include the flags listed
above. You'll recognize which line to edit.
3. Resync auditing by issuing the following command in the command line:
audit -s
There are some significant differences between BSM in 10.5 and 10.6.
_Activating the audit process_
For BSM in 10.5 you must also start the process by adding the following to
/etc/hostconfig: AUDIT=-YES- and then restarting the machine.
Auditing is active by default in 10.6 so you do not need to invoke it in the
hostconfig file or restart the machine. You will need to resync, as above.
_Retaining your audit file archive_
Your regulations may require you to keep an archive of the audit trail
files. If you do backups then you already have this. If no backups, then you
need to modify the BSM config in 10.6 - but not in 10.5.
BSM in 10.6 automatically deletes audit trail files after the total audit
trail file accumulated size goes over 10MB. You'll want to change this
configuration (in /etc/security/audit_control) in some way so the audit
trails aren't automatically purged from the system. (You can make the
default delete size larger; or you can comment it out entirely and keep them
forever, or until you manually delete them. Your strategy is up to you.)
If you are required to review the audit trails you can do that by exporting
them through the praudit utility, which is part of the BSM system.
Alternatively, I've got a shell script that will automatically convert each
audit trail to text as soon as it is completed and closed by the audit
system.
Hope that helps.
Dan O'Donnell
On 10/25/10 8:31 AM, "DeMattia, Edmond G." <email@hidden>
wrote:
> I have several Macs in a closed area that need to be configured for file and
> directory level auditing. I need to be able to log failed attempts by users
> trying to access files and folders on the local system for which they donĀ¹t
> have privileges to.
>
> I have a mix of 10.6 and 10.5 workstations. Any help is greatly appreciated!!
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden