-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Steve, On Thu, 3 Aug 2006 08:47:10 -0700 (PDT) Steve G <linux_4ever@xxxxxxxxx> wrote: > > >- From PCI standards > > I'm not familiar with this one, where would I find its requirements > on the internet? > > >10.5 Secure audit trails so they cannot be altered, including the > >following: > >10.5.1 Limit viewing of audit trails to those with a > >job-related need. > >10.5.2 Protect audit trail files from unauthorized > >modifications. > > The above is handled currently by the audit system. > > >10.5.3 Promptly back-up audit trail files to a > >centralized log server or media that is difficult to alter > > You'll have to modify the cron script to do this. > > >Would it be best to write a custom selinux policy to log all system_r > >commands / syscalls so someone could not just turn off the auditd. > > No one can turn off auditd unless they are root. Do you have > untrusted root users? We do not have untrusted root users, the problem is we are trying to audit ourselves and do it in a way that we could not easily circumvent, and if we were to there would be a record. For instance if i were to disable auditd, there should be a record of such as i do it on a central log server i do not have access to. Currently we use Sudo and log via syslog-ng to a central server, obviously sudo can be circumvented in many ways such as "sudo /bin/bash" will do it. > > >Currently we already use Syslog-ng, which hopefully we can > >incorporate auditd to log to the central syslog servers. > > Generally what you would want to do is update the cron script to > rename the files with date, time, and machine name. Then scp them to > a directory on a remote machine. I would not merge the logs with > syslog since you will lose the ability to use any audit tools. > > >-a entry,always -F uid=0 -F auid=999 -S open -S exit > >- -a task,always -F uid=0 -F auid=999 > > This will log every open of every file for that user. What are you > really trying to capture? Generally, security targets are concerned > with modifications of specific files. > > >The problem is, i get tons of syscalls for applications such as sshd > >and tail > > Yep. > > >Would it be possible to use the "exclude" for auditctl, > > This will exclude one type of message. For example, you can get rid > of everything > If i wanted to excluded the following type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2 success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561 auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 - -a exclude,always -F msgtype=SYSCALL - -a exit.always -F uid=0 - -a entry,always -F uid=0 Is this correct ? or can i do something - -a exit, > with type=LOGIN. It only looks at that one field and nothing else. > > >but i am unsure of how to not log sshd and tail without using a pid > >which can obviously change. > > What are you really trying to record? Trying to record when people access particular files , which i have been looking at the auditctl -w but the examples do not work in the documentation such as (found in capp.rules) - -w /var/log/audit/ -k LOG_audit Thanks in advance - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE0ifWr8LwOCpshrYRApNrAKCLI1t1CIn550Et9Tzs24GgtmEn2gCg+kzK 2o6+kI2VfEoPQ0V6aeG8H8M= =ZQ+e -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list