Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- Subject: Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- From: "Dan O'Donnell" <email@hidden>
- Date: Thu, 28 Oct 2010 12:40:03 -0700
- Thread-topic: [Fed-Talk] How to configure auditing for use in a Closed Area
On 10/28/10 12:37 PM, "DeMattia, Edmond G." <email@hidden>
wrote:
> I added the flags you have listed below to /etc/security/audit_control (most
> were already there) and executed audit -s to re-read the configuration.
>
> I then switched to a normal user account and tried to touch /etc/passwd and
> received a "permission denied" as expected.
audit -n To close the current audit file and start a new one.
> Then I executed praduit -l /var/audit/the_current_audit_file but didn't see
> a line with the failed attempt by the normal user. I even did a auditreduce
> -e username /var/audit/ the_current_audit_file and didn't get a positive
> result. Nothing was returned.
>
> Any ideas?
praudit and auditreduce will not work on an open audit file.
>
>
> On 10/25/10 11:50 AM, "Dan O'Donnell" <email@hidden> wrote:
>
>>
>> For definitive configurations check with your DAA or govt representative.
>> However...
>>
>> If you are configuring BSM (10.5) and OpenBSM (10.6) for NISPOM PL1, then
>> you'll want to start with audit flags of: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl.
>>
>> To do this use your preferred text editor (vi, BBEdit, TextEdit, whatever)
>> and modify the following:
>> 1. In etc/security make a copy of audit_control and name one or the other
>> audit_control.orig
>> 2. Edit the working /etc/security/audit_control to include the flags listed
>> above. You'll recognize which line to edit.
>> 3. Resync auditing by issuing the following command in the command line:
>> audit -s
>>
>> There are some significant differences between BSM in 10.5 and 10.6.
>>
>> _Activating the audit process_
>> For BSM in 10.5 you must also start the process by adding the following to
>> /etc/hostconfig: AUDIT=-YES- and then restarting the machine.
>>
>> Auditing is active by default in 10.6 so you do not need to invoke it in the
>> hostconfig file or restart the machine. You will need to resync, as above.
>>
>>
>> _Retaining your audit file archive_
>> Your regulations may require you to keep an archive of the audit trail
>> files. If you do backups then you already have this. If no backups, then you
>> need to modify the BSM config in 10.6 - but not in 10.5.
>>
>> BSM in 10.6 automatically deletes audit trail files after the total audit
>> trail file accumulated size goes over 10MB. You'll want to change this
>> configuration (in /etc/security/audit_control) in some way so the audit
>> trails aren't automatically purged from the system. (You can make the
>> default delete size larger; or you can comment it out entirely and keep them
>> forever, or until you manually delete them. Your strategy is up to you.)
>>
>>
>> If you are required to review the audit trails you can do that by exporting
>> them through the praudit utility, which is part of the BSM system.
>> Alternatively, I've got a shell script that will automatically convert each
>> audit trail to text as soon as it is completed and closed by the audit
>> system.
>>
>> Hope that helps.
>>
>> Dan O'Donnell
>>
>>
>> On 10/25/10 8:31 AM, "DeMattia, Edmond G." <email@hidden>
>> wrote:
>>
>>> I have several Macs in a closed area that need to be configured for file and
>>> directory level auditing. I need to be able to log failed attempts by users
>>> trying to access files and folders on the local system for which they donĀ¹t
>>> have privileges to.
>>>
>>> I have a mix of 10.6 and 10.5 workstations. Any help is greatly
>>> appreciated!!
>>
>>
>> __________________________________________________________________________
>>
>> This email message is for the sole use of the intended recipient(s) and
>> may contain confidential information. Any unauthorized review, use,
>> disclosure or distribution is prohibited. If you are not the intended
>> recipient, please contact the sender by reply email and destroy all copies
>> of the original message.
>>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden