Re: PDF-File-Verify-Sender:Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Re: PDF-File-Verify-Sender:Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- Subject: Re: PDF-File-Verify-Sender:Re: [Fed-Talk] How to configure auditing for use in a Closed Area
- From: "DeMattia, Edmond G." <email@hidden>
- Date: Thu, 28 Oct 2010 16:07:05 -0400
- Acceptlanguage: en-US
- Thread-topic: PDF-File-Verify-Sender:Re: [Fed-Talk] How to configure auditing for use in a Closed Area
Thank you for the information. I really appreciate it!
I seem to be able to look at the non-terminated log with praudit -l but
that's neither here nor there at this point. I terminated the log with
audit -n, attempted to touch /etc/passwd again as a normal user then did an
ls -l in the /vat/audit directory and noted the new log file ias zero bytes
in size. It seams the failed attempt by a normal user is not being logged.
At least not in the /var/audit log files.
Do I need to set additional flags in /etc/security/audit_control? I'm
becoming fearful I will have to declassify my Mac's if I can't prove failed
attempts are being audited.
This is on the 10.5 systems. I haven't attempted this on the 10.6 systems
yet.
On 10/28/10 3:52 PM, "Dan O'Donnell" <email@hidden> wrote:
> I don't have time today to send more directions, but will do so tomorrow or
> more likely next week. In the meantime, when you do your testing you might
> also note the exact time at which you execute your test - including seconds.
>
> Also, Apple's documentation for BSM/OpenBSM interpretation is non-existent.
> The same can be said for TrustedBSD's documentation. The best we get right
> now (until the day that somebody, maybe me, does the documentation*) is the
> old 1995 documentation from Sun. See attached.
>
>
> *I am not a BSM expert. Am just somebody who has had to hobble along the
> learning path without documentation, and maybe end up with "if you want
> something done right - do it yourself".
>
>
>
> On 10/28/10 12:37 PM, "DeMattia, Edmond G." <email@hidden>
> wrote:
>
>> I added the flags you have listed below to /etc/security/audit_control (most
>> were already there) and executed audit -s to re-read the configuration.
>>
>> I then switched to a normal user account and tried to touch /etc/passwd and
>> received a "permission denied" as expected.
>>
>> Then I executed praduit -l /var/audit/the_current_audit_file but didn't see
>> a line with the failed attempt by the normal user. I even did a auditreduce
>> -e username /var/audit/ the_current_audit_file and didn't get a positive
>> result. Nothing was returned.
>>
>> Any ideas?
>>
>>
>>
>>
>> On 10/25/10 11:50 AM, "Dan O'Donnell" <email@hidden> wrote:
>>
>>>
>>> For definitive configurations check with your DAA or govt representative.
>>> However...
>>>
>>> If you are configuring BSM (10.5) and OpenBSM (10.6) for NISPOM PL1, then
>>> you'll want to start with audit flags of: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl.
>>>
>>> To do this use your preferred text editor (vi, BBEdit, TextEdit, whatever)
>>> and modify the following:
>>> 1. In etc/security make a copy of audit_control and name one or the other
>>> audit_control.orig
>>> 2. Edit the working /etc/security/audit_control to include the flags listed
>>> above. You'll recognize which line to edit.
>>> 3. Resync auditing by issuing the following command in the command line:
>>> audit -s
>>>
>>> There are some significant differences between BSM in 10.5 and 10.6.
>>>
>>> _Activating the audit process_
>>> For BSM in 10.5 you must also start the process by adding the following to
>>> /etc/hostconfig: AUDIT=-YES- and then restarting the machine.
>>>
>>> Auditing is active by default in 10.6 so you do not need to invoke it in the
>>> hostconfig file or restart the machine. You will need to resync, as above.
>>>
>>>
>>> _Retaining your audit file archive_
>>> Your regulations may require you to keep an archive of the audit trail
>>> files. If you do backups then you already have this. If no backups, then you
>>> need to modify the BSM config in 10.6 - but not in 10.5.
>>>
>>> BSM in 10.6 automatically deletes audit trail files after the total audit
>>> trail file accumulated size goes over 10MB. You'll want to change this
>>> configuration (in /etc/security/audit_control) in some way so the audit
>>> trails aren't automatically purged from the system. (You can make the
>>> default delete size larger; or you can comment it out entirely and keep them
>>> forever, or until you manually delete them. Your strategy is up to you.)
>>>
>>>
>>> If you are required to review the audit trails you can do that by exporting
>>> them through the praudit utility, which is part of the BSM system.
>>> Alternatively, I've got a shell script that will automatically convert each
>>> audit trail to text as soon as it is completed and closed by the audit
>>> system.
>>>
>>> Hope that helps.
>>>
>>> Dan O'Donnell
>>>
>>>
>>> On 10/25/10 8:31 AM, "DeMattia, Edmond G." <email@hidden>
>>> wrote:
>>>
>>>> I have several Macs in a closed area that need to be configured for file
>>>> and
>>>> directory level auditing. I need to be able to log failed attempts by
>>>> users
>>>> trying to access files and folders on the local system for which they donĀ¹t
>>>> have privileges to.
>>>>
>>>> I have a mix of 10.6 and 10.5 workstations. Any help is greatly
>>>> appreciated!!
>>>
>>>
>>> __________________________________________________________________________
>>>
>>> This email message is for the sole use of the intended recipient(s) and
>>> may contain confidential information. Any unauthorized review, use,
>>> disclosure or distribution is prohibited. If you are not the intended
>>> recipient, please contact the sender by reply email and destroy all copies
>>> of the original message.
>>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden