-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, For the purpose of PCI auditing, I am looking into doing a proper security trail particularly of users who su / sudo to root/system_r. - From PCI standards 10.5 Secure audit trails so they cannot be altered, including the following: 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter To begin i have ventured into using Auditctl and defining a few rules to start with. Would it be best to write a custom selinux policy to log all system_r commands / syscalls so someone could not just turn off the auditd. Currently we already use Syslog-ng, which hopefully we can incorporate auditd to log to the central syslog servers. The rules I have played with by adding to /etc/audit.rules (among others) (we use auid 999 for testing) - -a entry,always -F uid=0 -F auid=999 -S open -S exit - -a task,always -F uid=0 -F auid=999 The problem is, i get tons of syscalls for applications such as sshd and tail type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2 success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418 auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 Would it be possible to use the "exclude" for auditctl, but i am unsure of how to not log sshd and tail without using a pid which can obviously change. Is auditctl the appropriate way to go about logging, or is it better to modify the selinux policy in some way. Thanks in advance, - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb OJO2NkkAn8f1In6TsXTNF6Y= =zxA3 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
