audispd audit-remote plugin and uid, gid, euid, suid, fsuid, egid, sgid, fsgid
LC Bruzenak
lenny at magitekltd.com
Thu Nov 13 15:32:12 UTC 2014
On 11/13/2014 09:01 AM, Steve Grubb wrote:
> They could unless use of those utilities are restricted. You could also setup
> a centralized user name management system to help things. But if you want to
> tackle this yourself, I think the uids, gids, and hostnames are the main
> things that need interpreting locally. Everything else can be done after the
> fact.
This subject is one I I've griped before. I'm amazed that more people
haven't mentioned this.
From an assurance perspective, having the human-understandable names of
the accounts is important.
If auditing systems aggregate records from multiple sources, this is
pretty big.
Until we can easily do something like the following, this isn't dire:
machine: local aggregator enterprise aggregator
--------------- ---------------------
-----------------------------
finance sys1 ->
finance sys2 -> fin. aggr \
finance sys3 -> ->
engineering1 ->
engineering2 -> eng. aggr -> enterprise aggregator
engineering3 ->
marketing1 -> ->
marketing2 -> mark. aggr /
marketing3 ->
In fact, to me, the ultimate assurance architecture would be to have the
username management system reside on the local auditing aggregator with
a very controlled/audited/secure interface.
Then I'd interpret the uids, gids and hns there.
My $0.02 FWIW,
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141113/f796e5be/attachment.p7s>
More information about the Linux-audit
mailing list