Can anyone tell me where I can find the RPM that installs LAUS? I've search all the CDs looking for apparent names and even read CD 1 and CD 2 but nothing jumps out and tells me where I can find the LAUS application bundled in a RPM.

A million thanks
John

Disc 9 has audit-0.5.src.rpm. Can anyone tell me if this is LAuS?

Sorry ment to say audit-0.5-1.src.rpm.

I found auditd and auditctl in by /sbin, do these files encompass LAuS and all I need to do is launch the executeables, I was told by someone that auditd is LAuS hmm.

On RHEL 4 WS disk 2 performed a rpm -qlvp *audit to see what this rpm (audit-0.5-1.x86_64.rpm) included, all it said was auditd and auditctl will be placed in your /sbin.

These files are already loaced in /sbin. I'm lost at this point. I dont have a audit.conf file or audit-libs files. I know I'm making this harder than what it probably is but urg!

auditd is running with a processes when I type chkconfig auditd while in the /sbin directory, when I logout thought I think the PID is killed.

Help, simply trying to use the auditd utility and veiw the logs with the LINUX GUI interface.

Ok,

I was told I would have a etc/audit.rules file, no such files nor a var/log/audit/audit.log file. I have no audit-libs files or audit.conf file. Any ideas; is this a partial install of the auditd capability?

http://www.redhat.com/docs/manuals/e...-s390x-en.html

The site above does not imply I have to do much and it should work the second I invokde auditd however, many of the assumed files and directories were not on my linux RHEL 4 WS 64 bit 2.6.9-5.Elsmp system.

This part of the thread should really be in a thread of its own in the Linux Security forum since it appears you're past installing your software...


Then 'rpm -qf /sbin/auditd' should show the name and version of the package.


What does 'rpm -ql audit' say?


To be correct it's /etc/audit/audit.rules. No /var/log/audit/ dir? audit-libs is for apps to log auditing info. Running 'rpm -q --whatrequires audit-libs' shows audit, shadow-utils, passwd, pam, util-linux, openssh and nscd.


No, you shouldn't have to do much. But from reading your threads I don't know yet if it's actually GNU/Linux itself you're struggling with or a bad or partial OS/audit installation. Answer some questions and we'll see. Please be exact in your answers please.


* BTW, what dictates or requires you to use Auditd? Just being curious.

Then 'rpm -qf /sbin/auditd' should show the name and version of the package.
Answer: audit-0.5-1




What does 'rpm -ql audit' say?
Answer: sbin/auditctl
sbin/auditd



To be correct it's /etc/audit/audit.rules. No /var/log/audit/ dir? audit-libs is for apps to log auditing info. Running 'rpm -q --whatrequires audit-libs' shows audit, shadow-utils, passwd, pam, util-linux, openssh and nscd.

Typed command rpm -q --whatrequires audit-libs
Answer: no package requires audit-libs "If I leave the ' after libs I get a blank line
that starts with a >"

Determine if business or other requirements allow you add CentOS packages to your RHEL installation. Else take the most recent CentOS-4 audit.* source packages (IIRC it should be up to U8 now?) and rebuild for your machine.

In your opion which would be quicker on my standalone LINUX?

(1) Load SNARE

(2) add CentOS packages to your RHEL installation.

(4) CentOS-4 audit.* source packages (IIRC it should be up to U8 now?) and rebuild for your machine.

FYI. Really new with LINUX and never performed a rebuild.
Can not seem to add auditd to services to remain active after I root logs out "chkconfig --add auditd" or "chkconfig --add /sbin/auditd" results in "error reading information on service auditd: no such file or directory. If I type "chkconfig auditd" I get no errors and if I type "auditd" I get a PID #. If auditd is not running after root logs out SNARE will probaly not work (your thoughts)?

Even after consolidation you have three threads rolling about the same subject. Keeping things together is not only more efficient for you but also keeps your fellow LQ members from posting duplicate replies. I suggest you continue discussing SNARE, Auditd and rules here http://www.linuxquestions.org/questi...snare.-642459/.