Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Critical System Protection and Linux auditing

Created: 13 Sep 2012 • Updated: 21 Nov 2012 | 1 comment
This issue has been solved. See solution.

Linux uses the audit.rules file to determine what files get audited. CSP uses the Unix or Linux template to determine auditing. Does CSP parse the /var/log/messages and /var/log/secure in any way? How does CSP get its audits, from audit.rules daemon or some other way.

Here is the issue. We have a DISA STIG requirement to audit a boatload of data which is filling up audit logs rather quickly. If CSP was independent can captured the same audits, we could turn of the audit daemon in Redhat and just use CSP's built in audit templates.

Part II of the question:

Does anyone know of an updated Linux template similar to the unix baseline detection? The unix baseline detection has files and folders which do not exist in Redhat linux.

V/R

Comments 1 CommentJump to latest comment

Chuck Edson's picture

Yes, you can use SCSP to audit log files and send the data to the SCSP database.  You can copy everything, or just certain events, depending on how you tune the policies and/or detection configs.

Use the unix Baseline Detection Policy on Redhat -- it is designed to be used on all the supported flavors of -ix.  Even if there are parts of the policy that reference files/folders that are not there, it should apply properly and give you the data you are looking for.

Upon install, SCSP edits the syslog config files to have the info piped to the SCSP logs, that is where the info comes from.

If a post helps you, please mark it as the solution to your issue.

SOLUTION