Weird issues in 2.6.5
Chris Nandor
pudge at pobox.com
Wed Jul 13 16:51:56 UTC 2016
Yeah, I saw that (and tried it out, but reverted when I noticed the
truncation issues). Nice feature!
On Wed, Jul 13, 2016 at 9:42 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, July 13, 2016 12:32:55 PM EDT Steve Grubb wrote:
> > On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote:
> > > Secondary question: the reason for what I'm working on is that we want
> to
> > > be able to audit what folks do as root on our production hosts. We're
> not
> > > a bank, and a perfect solution is not required, but we do need to be
> able
> > > to take reasonable steps to find out if people with access are doing
> bad
> > > things.
> > >
> > > Is this setup reasonable for that purpose?
> >
> > Yes. You would want to do two things, first enable tty auditing. This is
> > done by the pam_tty_audit module. Second consider adding the
> > 32-power-abuse.rules to your rules.
> >
> > > I know that's a loaded question
> > > and I can answer any questions anyone has that are necessary to figure
> > > this
> > > out. I am not asking so much about rules, but about architecture:
> logging
> > > according to whatever rules we set up, to the local audit.log and
> > > immediately to a remote using audisp-remote, so the log can't be easily
> > > manipulated.
> >
> > Remote logging is the defence against local log manipulation.
>
> Another thing to consider is that the 2.6 version of the audit user space
> has
> a new logging format. You might consider going into auditd.conf and setting
> log_format = enriched. This resolves some information locally before
> sending
> it to the remote system.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160713/12a3ff30/attachment.htm>
More information about the Linux-audit
mailing list