Audit logging

Stuart James stuart at secpay.com
Fri Aug 4 09:08:23 UTC 2006


Hi David,

On Fri, 4 Aug 2006 10:07:43 +1000
"David O'Brien" <daobrien at redhat.com> wrote:

> top post...
> 
> Stuart,
> I'm following this thread with interest, as I'm in the process of
> updating the RHEL5 documentation for Security and SELinux and I'm
> looking especially for Use Cases/real world scenarios (rather than
> fabricated implementations). I'm especially interested in getting
> community input for this.
> 
> If I'm reading this correctly, this could be a "Using SELinux to
> perform self-auditing" (or whatever) topic, including why you would
> do that, why SELinux is a good way to do it, and then *how* to do it
> exactly, with expected results, possible variations, and some
> troubleshooting, perhaps. Also some material on how/what *not* to do.

I would be more then interested in helping with this documentation or
the reason why we are doing this. Our company is an E-commerce firm
that deals with the issue of protecting the integrity of the card
holder environment for the purpose of PCI audits.

http://www.secpay.com/secpay/index.php/content/view/full/267.html
https://sdp.mastercardintl.com/pdf/pcd_manual.pdf

As it now has become more rigorous of certification(formally Visa AIS)
to achieve and is mandatory for us to continue transacting one of the
main issues of the standard we are faced with is section 10.5.x which
previously we have passed based on sudo logging to a central syslog
server. 

As mentioned previously its not because we have untrusted root users,
its that we have to prove to a third party auditor that we can create a
forensic security trail of a user actions.

We have looked into other software such as symark powerbroker, which
indeed does what we need, although it is logging soley in userspace,
but the fact that it is not opensource software and has a hefty price
tag we would rather look at selinux / auditing.


> 
> How do you feel about getting involved in this? I'm a writer, not an
> SELinux expert, so I'm relying on input from others for the techie
> bits.
> 
> Further, if you're aware of documentation that's wrong or hard to
> follow, let me know or file a bug
> (https://bugzilla.redhat.com/bugzilla/index.cgi).
> 
> cheers
> David
> 

Regards,

Stuart James




More information about the fedora-selinux-list mailing list