<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [olug] C2 Auditing on RedHat?</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4807.2300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face="Courier New" size=2>Better plan on commiting a large part of
your file system (in its own partition) to collecting the audits and you
will want a good audit reduction tool to help analyze your results.
Depending on your audit requirements and system usage, archiving and moving the
audit data across the network to a collection/tape backup system can take a fair
amount of resources. </FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Also think out what you will do when/if
partition for collecting gets full. It may not be acceptable to
put subsequent audits in the bit bucket! If c2 audits are being
levied on you, you may not be allowed to have gaps in the log information
collected. If so, this would mean a stopage until space is again
available.</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>My experience with Solaris C2 audits was
that we could not install Solaris and our infastructure tools with all audits
turned on a minimal system - we would fill the audits partition before the
installation completed. </FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Sam
Deel<BR>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<BR>Everybody's
got to believe in something, I believe I'll have another
beer...<BR>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<BR></DIV></FONT>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=John.C.Rogers@nwd02.usace.army.mil
href="mailto:John.C.Rogers@nwd02.usace.army.mil">Rogers, John C NWD02</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=olug@olug.org
href="mailto:'olug@olug.org'">'olug@olug.org'</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, August 28, 2002 2:35
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [olug] C2 Auditing on
RedHat?</DIV>
<DIV><BR></DIV>
<P><FONT size=2>The only C2 type of auditing of Linux that I know of is the
security enhanced version of Linux from the NSA.</FONT> </P>
<P><FONT size=2>This version audits just about anything and every change or
permission that the system can have done to it. It is an attempt to
build a C2 OS like Trusted Solaris and the others but has not been certified
or tested for C2.</FONT></P>
<P><FONT size=2>Find it at <A target=_blank
href="http://www.nsa.gov/selinux/">http://www.nsa.gov/selinux/</A></FONT> </P>
<P><FONT size=2>Hope it helps,</FONT> <BR><FONT size=2>John</FONT> </P>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Blaufuss, Shane [<A
href="mailto:sblaufuss@fnni.com">mailto:sblaufuss@fnni.com</A>]</FONT>
<BR><FONT size=2>Sent: Wednesday, August 28, 2002 1:14 PM</FONT> <BR><FONT
size=2>To: olug@olug.org</FONT> <BR><FONT size=2>Subject: [olug] C2 Auditing
on RedHat?</FONT> </P><BR>
<P><FONT size=2>Does anyone know if this is possible? There doesn't seem
to be any auditing</FONT> <BR><FONT size=2>packages included with the
distro. I was hoping for something like</FONT> <BR><FONT
size=2>Solaris's auditd.</FONT> </P><BR>
<P><FONT size=2>--</FONT> <BR><FONT size=2>Shane M. Blaufuss</FONT>
<BR><FONT size=2>Systems Engineer</FONT> <BR><FONT size=2>First Nat.'l Bank of
Omaha</FONT> <BR><FONT size=2>(402) 633-7288 </FONT></P>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>OLUG mailing list</FONT> <BR><FONT
size=2>OLUG@olug.org</FONT> <BR><FONT size=2><A target=_blank
href="http://lists.olug.org/mailman/listinfo/olug">http://lists.olug.org/mailman/listinfo/olug</A></FONT>
</P></BLOCKQUOTE></BODY></HTML>