Is there anything online detailing SELinux's accounting and auditing features?
Example: How/if it does system and process accounting How/if it does system and process auditing How/if it exactly logs (through syslogd?)
Thanks, Marco
On 10/21/2009 10:32 AM, Marco Shaw wrote:
Is there anything online detailing SELinux's accounting and auditing features?
Example: How/if it does system and process accounting How/if it does system and process auditing How/if it exactly logs (through syslogd?)
SELinux is a MAC (Mandatory Access Control) system. It does not do accounting and auditing. However the features in the audit system are probably what you want. For information on audit start here: http://people.redhat.com/sgrubb/audit/index.html
SELinux denials do get recorded in the audit log (/var/log/audit/audit.log)
On Wed, Oct 21, 2009 at 11:42 AM, John Dennis jdennis@redhat.com wrote:
On 10/21/2009 10:32 AM, Marco Shaw wrote:
Is there anything online detailing SELinux's accounting and auditing features?
Example: How/if it does system and process accounting How/if it does system and process auditing How/if it exactly logs (through syslogd?)
SELinux is a MAC (Mandatory Access Control) system. It does not do accounting and auditing. However the features in the audit system are probably what you want. For information on audit start here: http://people.redhat.com/sgrubb/audit/index.html
SELinux denials do get recorded in the audit log (/var/log/audit/audit.log)
(Line-wrapping may be way off, sorry...)
Thanks John,
Is audit an officially supported package though? If not, I'm going to have to research how RHEL can meet all the PCI-DSS requirements...
There was a webcast yesterday on RHEL and PCI compliance, but I got called away just as they were answering one of my questions near the end of the webcast.
I'll have to research more on the audit.log also. I'd prefer to have a built-in solution that uses syslogd, vs something hard coded to a specific log.
Marco
On 10/21/2009 12:17 PM, Marco Shaw wrote:
On Wed, Oct 21, 2009 at 11:42 AM, John Dennisjdennis@redhat.com wrote:
On 10/21/2009 10:32 AM, Marco Shaw wrote:
Is there anything online detailing SELinux's accounting and auditing features?
Example: How/if it does system and process accounting How/if it does system and process auditing How/if it exactly logs (through syslogd?)
SELinux is a MAC (Mandatory Access Control) system. It does not do accounting and auditing. However the features in the audit system are probably what you want. For information on audit start here: http://people.redhat.com/sgrubb/audit/index.html
SELinux denials do get recorded in the audit log (/var/log/audit/audit.log)
(Line-wrapping may be way off, sorry...)
Thanks John,
Is audit an officially supported package though? If not, I'm going to have to research how RHEL can meet all the PCI-DSS requirements...
There was a webcast yesterday on RHEL and PCI compliance, but I got called away just as they were answering one of my questions near the end of the webcast.
I'll have to research more on the audit.log also. I'd prefer to have a built-in solution that uses syslogd, vs something hard coded to a specific log.
Yes, audit is official. There is an entire ecosystem built around audit, including things like intrusion detection. Start with the link I provided, do a bit of reading, then follow up with your question on the Linux Audit mailing list (this email list is not the one you want). You can subscribe to the Linux Audit mailing list here:
https://www.redhat.com/mailman/listinfo/linux-audit
selinux@lists.fedoraproject.org
-
John Dennis -
Marco Shaw