Re: Weird issues in 2.6.5

On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote: > Secondary question: the reason for what I'm working on is that we want to > be able to audit what folks do as root on our production hosts. We're not > a bank, and a perfect solution is not required, but we do need to be able > to take reasonable steps to find out if people with access are doing bad > things. > > Is this setup reasonable for that purpose? Yes. You would want to do two things, first enable tty auditing. This is done by the pam_tty_audit module. Second consider adding the 32-power-abuse.rules to your rules. > I know that's a loaded question > and I can answer any questions anyone has that are necessary to figure > this > out. I am not asking so much about rules, but about architecture: logging > according to whatever rules we set up, to the local audit.log and > immediately to a remote using audisp-remote, so the log can't be easily > manipulated. Remote logging is the defence against local log manipulation.