On Wednesday, March 09, 2011 06:33:30 am [email protected] wrote: > I'm new to auditd, and have been assign to come up with a "best practice" > standard for the deployment and audit settings for Linux servers using > auditd, Other then the man pages does anyone have any suggestions for > "best practices", books or training courses that would help me get a > better understanding of auditd and its syntax?
There is a audit.rules man page that discusses some ideas about how to conduct and investigation. Being able to do an investigation depends on the rules you give the audit system. If you don't have a watch on a document that you really care about, then you might get an event showing someone accessed it. The rules are essentially the same as auditctl without its name. So, you can look at its man page to get an idea of its syntax. I also would not start writing an audit.rules file from scratch. There are 3 or 4 sample rule files in the package. I would start with one of them and customize it to your needs. The stig.rules file is probably the best one to start with. As for additional information I have a couple presentations here: http://people.redhat.com/sgrubb/audit/ that might be useful. Also you can look at the NSA SNAC guide for RHEL5 which should have some discussion about the audit system. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
