Yeah, I saw that (and tried it out, but reverted when I noticed the truncation issues). Nice feature!
On Wed, Jul 13, 2016 at 9:42 AM, Steve Grubb <[email protected]> wrote: > On Wednesday, July 13, 2016 12:32:55 PM EDT Steve Grubb wrote: > > On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote: > > > Secondary question: the reason for what I'm working on is that we want > to > > > be able to audit what folks do as root on our production hosts. We're > not > > > a bank, and a perfect solution is not required, but we do need to be > able > > > to take reasonable steps to find out if people with access are doing > bad > > > things. > > > > > > Is this setup reasonable for that purpose? > > > > Yes. You would want to do two things, first enable tty auditing. This is > > done by the pam_tty_audit module. Second consider adding the > > 32-power-abuse.rules to your rules. > > > > > I know that's a loaded question > > > and I can answer any questions anyone has that are necessary to figure > > > this > > > out. I am not asking so much about rules, but about architecture: > logging > > > according to whatever rules we set up, to the local audit.log and > > > immediately to a remote using audisp-remote, so the log can't be easily > > > manipulated. > > > > Remote logging is the defence against local log manipulation. > > Another thing to consider is that the 2.6 version of the audit user space > has > a new logging format. You might consider going into auditd.conf and setting > log_format = enriched. This resolves some information locally before > sending > it to the remote system. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
