ビデオヘルプ
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Critical System Protection and Linux auditing

作成: 13 Sep 2012 • 更新: 21 Nov 2012 | コメント数: 1
この問題は解決されました。 ソリューションを参照してください。

Linux uses the audit.rules file to determine what files get audited. CSP uses the Unix or Linux template to determine auditing. Does CSP parse the /var/log/messages and /var/log/secure in any way? How does CSP get its audits, from audit.rules daemon or some other way.

Here is the issue. We have a DISA STIG requirement to audit a boatload of data which is filling up audit logs rather quickly. If CSP was independent can captured the same audits, we could turn of the audit daemon in Redhat and just use CSP's built in audit templates.

Part II of the question:

Does anyone know of an updated Linux template similar to the unix baseline detection? The unix baseline detection has files and folders which do not exist in Redhat linux.

V/R

タグでディスカッションを検索:

コメント 1 Comment最新のコメントを表示

Chuck Edson の写真

Yes, you can use SCSP to audit log files and send the data to the SCSP database.  You can copy everything, or just certain events, depending on how you tune the policies and/or detection configs.

Use the unix Baseline Detection Policy on Redhat -- it is designed to be used on all the supported flavors of -ix.  Even if there are parts of the policy that reference files/folders that are not there, it should apply properly and give you the data you are looking for.

Upon install, SCSP edits the syslog config files to have the info piped to the SCSP logs, that is where the info comes from.

If a post helps you, please mark it as the solution to your issue.

ソリューション