On Tuesday 27 May 2008 10:00:19 corbin wrote: > Can these rules apply to RHEL4 or just RHEL5?
The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4 did. It also has more options in auditctl & kernel to make rules capture just the required data. Some things you simply can't express in RHEL4. For example, the ability to audit only users (auid>=500) rather than everything including daemons. For RHEL4, you can get everything required for NISPOM, but you depend more on the reduction tools and eat more disk space doing so. > However, I am just exploring the audit.rules settings in RHEL and wanted to > know if these changes are particular to a specific version of Red Hat. I believe that RHEL4 has a nispom.rules file also. It has not be updated in quite a while, but it should be a good starting point. It probably needs updating for arch=b32 and 64 so that biarch machines get the right syscalls being audited. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
