stuart at secpay.com
Thu Aug 3 15:00:05 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
For the purpose of PCI auditing, I am looking into doing a proper
security trail particularly of users who su / sudo to root/system_r.
- From PCI standards
10.5 Secure audit trails so they cannot be altered, including the
10.5.1 Limit viewing of audit trails to those with a
10.5.2 Protect audit trail files from unauthorized
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is difficult to alter
To begin i have ventured into using Auditctl and defining a
few rules to start with.
Would it be best to write a custom selinux policy to log all system_r
commands / syscalls so someone could not just turn off the auditd.
Currently we already use Syslog-ng, which hopefully we can incorporate
auditd to log to the central syslog servers.
The rules I have played with by adding to /etc/audit.rules (among
(we use auid 999 for testing)
- -a entry,always -F uid=0 -F auid=999 -S open -S exit
- -a task,always -F uid=0 -F auid=999
The problem is, i get tons of syscalls for applications such as sshd
type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2
success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418
auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
Would it be possible to use the "exclude" for auditctl, but i am
unsure of how to not log sshd and tail without using a pid which can
Is auditctl the appropriate way to go about logging, or is it better to
modify the selinux policy in some way.
Thanks in advance,
DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v184.108.40.206 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list