Linux auditing in fedora, Selinux and auditd
 

Hi all, this is my first post here.

I am looking for teh best way to audit linux, and decide what is in the audit and what's not. auditd itself looks a bit difficult to manage. Is tehre any set of commands or front-end to manage it?

If not, do you know of a good manual for it? I have been looking for it but I only find man pages.

I have read that selinux uses auditd. How can I manage auditd from selinux? Is there any tutorial or something that can help me getting started. Again all I can find are documents about linux security.

Thanks to all.

I am looking for teh best way to audit linux
Please define "best" wrt requirements etc, etc. If you don't know what you want/need have a look at for instance "Securing and Hardening Linux Production Systems" (wrt to SOX, SAS70): http://www.puschitz.com/SecuringLinux.shtml
If you really meant to use SELinux, then please read up on it first and then ask more specific questions.

I work with RHL 3.0 boxes that have auditd deamon runnig but not SElinux enabled.
Since I posted the question I found out that there are a set of tools (setools) to manage SElinux. But tehy dont work if SElinux is not enabled.

Another option I came across was praudit, but looks like a Solaris tool only.

I will rephrase it, I am not looking for teh best way. I am looking for the way to perform audit in Linux without SElinux.

Thanks.

I have reduced my search. I need now help understanding audit and /etc/audit/filter.conf

Thanks.