>- From PCI standards I'm not familiar with this one, where would I find its requirements on the internet? >10.5 Secure audit trails so they cannot be altered, including the >following: >10.5.1 Limit viewing of audit trails to those with a >job-related need. >10.5.2 Protect audit trail files from unauthorized >modifications. The above is handled currently by the audit system. >10.5.3 Promptly back-up audit trail files to a >centralized log server or media that is difficult to alter You'll have to modify the cron script to do this. >Would it be best to write a custom selinux policy to log all system_r >commands / syscalls so someone could not just turn off the auditd. No one can turn off auditd unless they are root. Do you have untrusted root users? >Currently we already use Syslog-ng, which hopefully we can incorporate >auditd to log to the central syslog servers. Generally what you would want to do is update the cron script to rename the files with date, time, and machine name. Then scp them to a directory on a remote machine. I would not merge the logs with syslog since you will lose the ability to use any audit tools. >-a entry,always -F uid=0 -F auid=999 -S open -S exit >- -a task,always -F uid=0 -F auid=999 This will log every open of every file for that user. What are you really trying to capture? Generally, security targets are concerned with modifications of specific files. >The problem is, i get tons of syscalls for applications such as sshd >and tail Yep. >Would it be possible to use the "exclude" for auditctl, This will exclude one type of message. For example, you can get rid of everything with type=LOGIN. It only looks at that one field and nothing else. >but i am unsure of how to not log sshd and tail without using a pid which >can obviously change. What are you really trying to record? >Is auditctl the appropriate way to go about logging, Audit should be used to audit with. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
