linux_4ever at yahoo.com
Thu Aug 3 15:47:10 UTC 2006
>- From PCI standards
I'm not familiar with this one, where would I find its requirements on the
>10.5 Secure audit trails so they cannot be altered, including the
>10.5.1 Limit viewing of audit trails to those with a
>10.5.2 Protect audit trail files from unauthorized
The above is handled currently by the audit system.
>10.5.3 Promptly back-up audit trail files to a
>centralized log server or media that is difficult to alter
You'll have to modify the cron script to do this.
>Would it be best to write a custom selinux policy to log all system_r
>commands / syscalls so someone could not just turn off the auditd.
No one can turn off auditd unless they are root. Do you have untrusted root
>Currently we already use Syslog-ng, which hopefully we can incorporate
>auditd to log to the central syslog servers.
Generally what you would want to do is update the cron script to rename the files
with date, time, and machine name. Then scp them to a directory on a remote
machine. I would not merge the logs with syslog since you will lose the ability
to use any audit tools.
>-a entry,always -F uid=0 -F auid=999 -S open -S exit
>- -a task,always -F uid=0 -F auid=999
This will log every open of every file for that user. What are you really trying
to capture? Generally, security targets are concerned with modifications of
>The problem is, i get tons of syscalls for applications such as sshd
>Would it be possible to use the "exclude" for auditctl,
This will exclude one type of message. For example, you can get rid of everything
with type=LOGIN. It only looks at that one field and nothing else.
>but i am unsure of how to not log sshd and tail without using a pid which
>can obviously change.
What are you really trying to record?
>Is auditctl the appropriate way to go about logging,
Audit should be used to audit with.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the fedora-selinux-list