Canmove, confirm
937
edits
Changes
→Access to Audit Data
===Access to Audit Data===
====Access to syslog Messages==== On Unix (including Linux and Mac OS X), the NSS module uses the <code>syslog()</code> function to audit events, so the NSS audit data are stored in the system log. Only the root user can modify the system log. On some platforms, only the root user can read the system log; on other platforms, all the users can read the system log. The system log is usually under the <code>/var/adm</code> or <code>/var/log</code> directory. The exact location of the system log is specified in the <code>/etc/syslog.conf</code> file. NSS uses the default '''user''' facility and the '''info''', '''warning''', and '''err''' severity levels for its log messages. We give two examples below. '''Red Hat Enterprise Linux 4''': The <code>/etc/syslog.conf</code> file on Red Hat Enterprise Linux 4 has: *.info;mail.none;authpriv.none;cron.none /var/log/messageswhich specifies that <code>/var/log/messages</code> is the system log file. The permission bits of the system log are: $ ls -l /var/log/messages -rw------- 1 root root 38054 Jun 9 10:18 /var/log/messagesso only the root user can read or modify the system log. '''Solaris 10''': The <code>/etc/syslog.conf</code> file on Solaris 10 has: *.err;kern.debug;daemon.notice;mail.crit /var/adm/messageswhich specifies that <code>/var/adm/messages</code> is the system log file. The permission bits of the system log are: $ ls -l /var/adm/messages -rw-r--r-- 1 root root 0 Jun 7 03:10 /var/adm/messagesso all users can read the system log, but only the root user can modify it. ====Access to System Audit Log==== To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Solaris, the NSS module also uses the audit mechanism provided by the operating system to audit events, so the NSS audit data are also stored in the system audit log. Only the root user can read or modify the system audit log.
On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command):
