Audit logging

Steve G linux_4ever at yahoo.com
Thu Aug 3 15:47:10 UTC 2006 

>- From PCI standards

I'm not familiar with this one, where would I find its requirements on the
internet?

>10.5 Secure audit trails so they cannot be altered, including the
>following: 
>10.5.1 Limit viewing of audit trails to those with a
>job-related need.
>10.5.2 Protect audit trail files from unauthorized
>modifications.

The above is handled currently by the audit system.

>10.5.3 Promptly back-up audit trail files to a
>centralized log server or media that is difficult to alter

You'll have to modify the cron script to do this.

>Would it be best to write a custom selinux policy to log all system_r
>commands / syscalls so someone could not just turn off the auditd.

No one can turn off auditd unless they are root. Do you have untrusted root
users?

>Currently we already use Syslog-ng, which hopefully we can incorporate
>auditd to log to the central syslog servers.

Generally what you would want to do is update the cron script to rename the files
with date, time, and machine name. Then scp them to a directory on a remote
machine. I would not merge the logs with syslog since you will lose the ability
to use any audit tools.

>-a entry,always -F uid=0 -F auid=999 -S open -S exit
>- -a task,always -F uid=0 -F auid=999

This will log every open of every file for that user. What are you really trying
to capture? Generally, security targets are concerned with modifications of
specific files.

>The problem is, i get tons of syscalls for applications such as sshd
>and tail

Yep.

>Would it be possible to use the "exclude" for auditctl,

This will exclude one type of message. For example, you can get rid of everything

 with type=LOGIN. It only looks at that one field and nothing else.

>but i am unsure of how to not log sshd and tail without using a pid which 
>can obviously change.

What are you really trying to record?

>Is auditctl the appropriate way to go about logging, 

Audit should be used to audit with.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the fedora-selinux-list mailing list