On Tuesday 06 April 2010 04:14:32 pm [email protected] wrote: > - Monitoring system startup and shutdown. I could monitor all the > relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways > around these. I'm not sure how to accurately monitor startup at all.
Init is the only thing that knows the system is changing states. Upstart was patched to handle this requirement but the older SysVinit package has not been patched. You should be able to watch some of the apps in the init package to see what is happening. It won't be as nice as the upstart based solution, but will log the event. > - Use of print command (unsuccessful and successful). I tried modifying > the "Use of privileged commands" rule to monitor the command-line print > commands and cupsd, but this didn't catch printing via GUI apps through > CUPS, and I suspect there must be a better way anyhow. There are cupsd > audit entries, but these are from the permission change/deletion rules (I > did move the print rules above those, close to the top). Support for auditing anything on the desktop is not really functional. Dbus has no way of changing the auid correctly and everything passing through it would be attributed to root. The best way to straighten this all out would be getting the desktop through a Common Criteria certification so that all this would get addressed, but there has never been enough interest to do this. > If I should just be monitoring these via another facility, that may also > work. I'm also pondering the best way to get the RHEL4 machines to send > their audit logs to a central server, as there seems to be no support for > audisp at all (unless I'm missing something). RHEL4 won't be getting any updates to support this as far as I know. I have no experience with any other solutions to be able to recommend any of them. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
