[Gllug] Change Management tools

Daniel P. Berrange dan at berrange.com
Wed Jun 8 12:20:41 UTC 2005


On Wed, Jun 08, 2005 at 01:10:47PM +0100, Tethys wrote:
> We use AIDE to verify that the machine is in a consistent, approved
> state. Any changes are detected, and a simple web front end lets us
> add annotations to explain the reasons for the change (which should
> tie in to a change request number, although they don't always do so
> yet). As for who's made the change, you'd need process accounting or
> something like systrace/dtrace to be able to see that sort of information,
> which starts getting pretty invasive and potentially harms performance.

Both Red Hat and SUSE kernels include system wide auditing capabilties,
primarily to enable CAL-3 security certification. If you are reasonably
restrictive about what files / processes you mark as being audited
then the performance hit isn't prohibitively high. 

The original LAUS implementation was pretty hairy, but for 2.6 kernel
in RHEL-4, a new impl was written to work in conjunction with SELinux
framework, and is actually part of upstream kernel tree. So, if you've
got particular file & processes you're interested in auditing it may 
well  be worth taking a look at these capabilties.

Regards,
Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list