I recently installed the audit code on my current system. It comes up and works fine, the logs rotate properly and all is copacetic. Now I would like to develop audit policies for a few typical installations. 1) Departmental server. Serves files, mail, web proxies and application proxies. What are the appropriate events to audit to enhance the IT security in an environment that probably doesn't have an IT staff. 2) Workstation. Used as an application client, with e-mail, web and network services. Probably has access to printers and file servers. Is potentially exposed to spam and malware. 3) Routers and infrastructure servers. Provide network services, DHCP, network address translation, routing, PXE, proxies etc. How best to audit this box. For each of these types of IT provider, we need to monitor activity for security purposes first, and perhaps also for cost accounting. The audit daemon provides records with varying degrees of importance. How should we separate and report so as to achieve the timeliness that we need. I'm trying to put together a white paper on the use of auditing to complement the excellent installation and operation information in the Handbook. All suggestions are welcome. -- Best regards, Derek Tattersall dlt_at_mebtel.net dlt666_at_yahoo.com dtatters_at_gmail.comReceived on Wed May 31 2006 - 17:11:50 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC