-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
For the purpose of PCI auditing, I am looking into doing a proper
security trail particularly of users who su / sudo to root/system_r.
- From PCI standards
10.5 Secure audit trails so they cannot be altered, including the
following:
10.5.1 Limit viewing of audit trails to those with a
job-related need.
10.5.2 Protect audit trail files from unauthorized
modifications.
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is difficult to alter
To begin i have ventured into using Auditctl and defining a
few rules to start with.
Would it be best to write a custom selinux policy to log all system_r
commands / syscalls so someone could not just turn off the auditd.
Currently we already use Syslog-ng, which hopefully we can incorporate
auditd to log to the central syslog servers.
The rules I have played with by adding to /etc/audit.rules (among
others)
(we use auid 999 for testing)
- -a entry,always -F uid=0 -F auid=999 -S open -S exit
- -a task,always -F uid=0 -F auid=999
The problem is, i get tons of syscalls for applications such as sshd
and tail
type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2
success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418
auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
Would it be possible to use the "exclude" for auditctl, but i am
unsure of how to not log sshd and tail without using a pid which can
obviously change.
Is auditctl the appropriate way to go about logging, or is it better to
modify the selinux policy in some way.
Thanks in advance,
- --
Stuart James
System Administrator
DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb
OJO2NkkAn8f1In6TsXTNF6Y=
=zxA3
-----END PGP SIGNATURE-----