From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Weird issues in 2.6.5
Date: Wed, 13 Jul 2016 12:42:22 -0400 [thread overview]
Message-ID: <4163033.HK5e6qXJ5d@x2> (raw)
In-Reply-To: <1592387.yc9HYPXd4B@x2>
On Wednesday, July 13, 2016 12:32:55 PM EDT Steve Grubb wrote:
> On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote:
> > Secondary question: the reason for what I'm working on is that we want to
> > be able to audit what folks do as root on our production hosts. We're not
> > a bank, and a perfect solution is not required, but we do need to be able
> > to take reasonable steps to find out if people with access are doing bad
> > things.
> >
> > Is this setup reasonable for that purpose?
>
> Yes. You would want to do two things, first enable tty auditing. This is
> done by the pam_tty_audit module. Second consider adding the
> 32-power-abuse.rules to your rules.
>
> > I know that's a loaded question
> > and I can answer any questions anyone has that are necessary to figure
> > this
> > out. I am not asking so much about rules, but about architecture: logging
> > according to whatever rules we set up, to the local audit.log and
> > immediately to a remote using audisp-remote, so the log can't be easily
> > manipulated.
>
> Remote logging is the defence against local log manipulation.
Another thing to consider is that the 2.6 version of the audit user space has
a new logging format. You might consider going into auditd.conf and setting
log_format = enriched. This resolves some information locally before sending
it to the remote system.
-Steve
next prev parent reply other threads:[~2016-07-13 16:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-13 15:47 Weird issues in 2.6.5 Chris Nandor
2016-07-13 15:57 ` Steve Grubb
2016-07-13 16:22 ` Chris Nandor
2016-07-13 16:32 ` Steve Grubb
2016-07-13 16:42 ` Steve Grubb [this message]
2016-07-13 16:51 ` Chris Nandor
2016-07-13 16:55 ` Chris Nandor
2016-07-13 17:07 ` Steve Grubb
2016-07-13 17:51 ` Chris Nandor
2016-07-13 18:38 ` Steve Grubb
2016-07-13 18:45 ` Chris Nandor
2016-07-13 22:22 ` Chris Nandor
2016-07-15 1:09 ` Steve Grubb
2016-07-13 21:14 ` Chris Nandor
2016-07-13 21:11 ` Chris Nandor
2016-07-13 16:20 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4163033.HK5e6qXJ5d@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox