Audit logging

[Stuart James]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

For the purpose of PCI auditing, I am looking into doing a proper
security trail particularly of users who su / sudo to root/system_r.  

- From PCI standards

10.5 Secure audit trails so they cannot be altered, including the
following: 
10.5.1 Limit viewing of audit trails to those with a
job-related need. 
10.5.2 Protect audit trail files from unauthorized
modifications. 
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is difficult to alter


To begin i have ventured into using Auditctl and defining a
few rules to start with. 

Would it be best to write a custom selinux policy to log all system_r
commands / syscalls so someone could not just turn off the auditd.

Currently we already use Syslog-ng, which hopefully we can incorporate
auditd to log to the central syslog servers.

The rules I have played with by adding to /etc/audit.rules (among
others)

(we use auid 999 for testing)

- -a entry,always -F uid=0 -F auid=999 -S open -S exit
- -a task,always -F uid=0 -F auid=999

The problem is, i get tons of syscalls for applications such as sshd
and tail

type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2
success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418
auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=user_u:system_r:unconfined_t:s0-s0:c0.c255

Would it be possible to use the "exclude" for auditctl, but i am
unsure of how to not log sshd and tail without using a pid which can
obviously change.

Is auditctl the appropriate way to go about logging, or is it better to
modify the selinux policy in some way.

Thanks in advance,

- -- 
Stuart James
System Administrator
DDI - (44) 0 1765 643354

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb
OJO2NkkAn8f1In6TsXTNF6Y=
=zxA3
-----END PGP SIGNATURE-----