This request is to expand important logging for RHEL 6.2.
The default in RHEL 6.2 is that /var/log/secure logs all authpriv.* events.
The purpose of this is to be able to log data to comply with NERC CIP Standards.
CIP-007 R5 - Account Management - The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthrized system access.
For the the most part the PAM tool does this well for the following:
-UserLogon, UseLogoff, UserLogonFailure, UserModifyAttribute (Password Change)
PAM does not catch when you add, modify, or delete a user user these commands;
-UserAdd, UserMod, UserDel, & chage.
-GroupAdd, GroupMod, GroupDel
-This is important so we can keep track of records of user changes but also when installing new software for change management. When you install software it is possible that it will create a new system user or group. This will help for change management and we can provide evidence and update documentation for any new users.
SSH
-PAM logs user logons and logoffs for sshd but if there are other log events that correspond to ssh but not to pam they are not logged right now in LEM.
VNC
-VNC sessions are logged in /var/log/secure but there are no tools currently that log this.
I am not sure if there I have anything else at this point. If anyone has anything to add please do. I am also fairly new to Linux so if I am missing any other tools that LEM offers for Linux please let me know.
Thanks!