canmove, Confirmed users
937
edits
FIPS Operational Environment: Difference between revisions
→Access to System Audit Log
No edit summary |
|||
| Line 138: | Line 138: | ||
====Access to System Audit Log==== | ====Access to System Audit Log==== | ||
To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Trusted Solaris, the NSS cryptographic module can be configured to use the audit mechanism provided by the operating system to audit events. The audit data will be stored in the system audit log. Only the root user can read or modify the system audit log. Auditing is turned off by default. To turn on the auditing capability, you need to set the environment variable NSS_ENABLE_AUDIT to 1. You also need to configure the operating | To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Trusted Solaris, the NSS cryptographic module can be configured to use the audit mechanism provided by the operating system to audit events. The audit data will be stored in the system audit log. Only the root user can read or modify the system audit log. Auditing is turned off by default. To turn on the auditing capability, you need to set the environment variable NSS_ENABLE_AUDIT to 1. You also need to configure the operating system's audit mechanism. | ||
On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): | On Red Hat Enterprise Linux 4, the system audit log is in the <code>/var/log/audit</code> directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command): | ||
| Line 157: | Line 157: | ||
Edit /etc/security/audit_class | Edit /etc/security/audit_class | ||
add line: | add line: | ||
0x99000000:fp:NSS | 0x99000000:fp:NSS FIPS Security Msgs | ||
Edit /etc/security/audit_event | Edit /etc/security/audit_event | ||
| Line 169: | Line 169: | ||
Turn on audit service: | Turn on audit service: | ||
On Trusted Solaris 8 auditing is enabled by default | On Trusted Solaris 8 auditing is enabled by default; for non-trusted Solaris run: /etc/security/bsmconv (either as root or a user that has been given the Audit Control RBAC profile in Solaris 8) | ||
reboot your system. | reboot your system. | ||
After the system has rebooted ensure auditd is running: ps -ecf | grep auditd | After the system has rebooted, ensure auditd is running: ps -ecf | grep auditd | ||
'''Viewing the audit trail:''' | '''Viewing the audit trail:''' | ||
By default the audit logs are stored in /var/audit. To view the active audit trail ensure there is only one *not_terminated* audit files. If there are others delete the older ones before executing this command. | By default the audit logs are stored in /var/audit. To view the active audit trail, ensure there is only one *not_terminated* audit files. If there are others, delete the older ones before executing this command. | ||
#cd /var/audit | #cd /var/audit | ||