From owner-freebsd-current@FreeBSD.ORG Wed May 31 19:11:50 2006 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8D3D16B9E9 for ; Wed, 31 May 2006 19:11:50 +0000 (UTC) (envelope-from dlt@mebtel.net) Received: from bilbo.mebtel.net (bilbo.mebtel.net [64.40.67.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD01F43D67 for ; Wed, 31 May 2006 19:11:42 +0000 (GMT) (envelope-from dlt@mebtel.net) Received: from localhost (localhost [127.0.0.1]) by bilbo.mebtel.net (Postfix) with ESMTP id 78EFF2ABFC for ; Wed, 31 May 2006 15:11:41 -0400 (EDT) Received: from bilbo.mebtel.net ([127.0.0.1]) by localhost (bilbo [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22783-10 for ; Wed, 31 May 2006 15:11:41 -0400 (EDT) Received: from sukey.arm.org (66-79-79-171.dsl.mebtel.net [66.79.79.171]) by bilbo.mebtel.net (Postfix) with ESMTP id D67532ABEA for ; Wed, 31 May 2006 15:11:40 -0400 (EDT) Received: from sukey.arm.org (localhost [127.0.0.1]) by sukey.arm.org (8.13.6/8.13.4) with ESMTP id k4VJBeCt080648 for ; Wed, 31 May 2006 15:11:40 -0400 (EDT) (envelope-from dlt@sukey.arm.org) Received: (from dlt@localhost) by sukey.arm.org (8.13.6/8.13.4/Submit) id k4VJBdr0080562; Wed, 31 May 2006 15:11:39 -0400 (EDT) (envelope-from dlt) Date: Wed, 31 May 2006 15:11:39 -0400 (EDT) Message-Id: <200605311911.k4VJBdr0080562@sukey.arm.org> From: Derek Tattersall To: current@FreeBSD.org X-Virus-Scanned: by amavisd-new at mebtel.net Cc: Subject: Use of the audit subsystem X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 19:11:58 -0000 I recently installed the audit code on my current system. It comes up and works fine, the logs rotate properly and all is copacetic. Now I would like to develop audit policies for a few typical installations. 1) Departmental server. Serves files, mail, web proxies and application proxies. What are the appropriate events to audit to enhance the IT security in an environment that probably doesn't have an IT staff. 2) Workstation. Used as an application client, with e-mail, web and network services. Probably has access to printers and file servers. Is potentially exposed to spam and malware. 3) Routers and infrastructure servers. Provide network services, DHCP, network address translation, routing, PXE, proxies etc. How best to audit this box. For each of these types of IT provider, we need to monitor activity for security purposes first, and perhaps also for cost accounting. The audit daemon provides records with varying degrees of importance. How should we separate and report so as to achieve the timeliness that we need. I'm trying to put together a white paper on the use of auditing to complement the excellent installation and operation information in the Handbook. All suggestions are welcome. -- Best regards, Derek Tattersall dlt@mebtel.net dlt666@yahoo.com dtatters@gmail.com