Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- Subject: Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- From: "DeMattia, Edmond G." <email@hidden>
- Date: Thu, 28 Oct 2010 15:37:47 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] How to configure auditing for use in a Closed Area
I added the flags you have listed below to /etc/security/audit_control (most
were already there) and executed audit -s to re-read the configuration.
I then switched to a normal user account and tried to touch /etc/passwd and
received a "permission denied" as expected.
Then I executed praduit -l /var/audit/the_current_audit_file but didn't see
a line with the failed attempt by the normal user. I even did a auditreduce
-e username /var/audit/ the_current_audit_file and didn't get a positive
result. Nothing was returned.
Any ideas?
On 10/25/10 11:50 AM, "Dan O'Donnell" <email@hidden> wrote:
>
> For definitive configurations check with your DAA or govt representative.
> However...
>
> If you are configuring BSM (10.5) and OpenBSM (10.6) for NISPOM PL1, then
> you'll want to start with audit flags of: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl.
>
> To do this use your preferred text editor (vi, BBEdit, TextEdit, whatever)
> and modify the following:
> 1. In etc/security make a copy of audit_control and name one or the other
> audit_control.orig
> 2. Edit the working /etc/security/audit_control to include the flags listed
> above. You'll recognize which line to edit.
> 3. Resync auditing by issuing the following command in the command line:
> audit -s
>
> There are some significant differences between BSM in 10.5 and 10.6.
>
> _Activating the audit process_
> For BSM in 10.5 you must also start the process by adding the following to
> /etc/hostconfig: AUDIT=-YES- and then restarting the machine.
>
> Auditing is active by default in 10.6 so you do not need to invoke it in the
> hostconfig file or restart the machine. You will need to resync, as above.
>
>
> _Retaining your audit file archive_
> Your regulations may require you to keep an archive of the audit trail
> files. If you do backups then you already have this. If no backups, then you
> need to modify the BSM config in 10.6 - but not in 10.5.
>
> BSM in 10.6 automatically deletes audit trail files after the total audit
> trail file accumulated size goes over 10MB. You'll want to change this
> configuration (in /etc/security/audit_control) in some way so the audit
> trails aren't automatically purged from the system. (You can make the
> default delete size larger; or you can comment it out entirely and keep them
> forever, or until you manually delete them. Your strategy is up to you.)
>
>
> If you are required to review the audit trails you can do that by exporting
> them through the praudit utility, which is part of the BSM system.
> Alternatively, I've got a shell script that will automatically convert each
> audit trail to text as soon as it is completed and closed by the audit
> system.
>
> Hope that helps.
>
> Dan O'Donnell
>
>
> On 10/25/10 8:31 AM, "DeMattia, Edmond G." <email@hidden>
> wrote:
>
>> I have several Macs in a closed area that need to be configured for file and
>> directory level auditing. I need to be able to log failed attempts by users
>> trying to access files and folders on the local system for which they donĀ¹t
>> have privileges to.
>>
>> I have a mix of 10.6 and 10.5 workstations. Any help is greatly
>> appreciated!!
>
>
> __________________________________________________________________________
>
> This email message is for the sole use of the intended recipient(s) and
> may contain confidential information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all copies
> of the original message.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden