Audit logging
Steve G
linux_4ever at yahoo.com
Fri Aug 4 10:08:09 UTC 2006
>If I'm reading this correctly, this could be a "Using SELinux to
>perform self-auditing" (or whatever) topic, including why you would do that,
>why SELinux is a good way to do it,
SE Linux is the wrong approach for this. This is more in the domain of what the
audit system does. A simple case of auditing root actions is handled by this:
-a always,entry -S execve -F "auid>500" -F uid=0
This will capture all execve parameters for people that logged in with normal
user account and have changed uid to root. You have to forbid peoople logging in
directly as root, too.
It might be better if we update bash to log commands instead of getting every
execve.
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the fedora-selinux-list
mailing list