[Gllug] Change Management tools
Daniel P. Berrange
dan at berrange.com
Wed Jun 8 12:20:41 UTC 2005
On Wed, Jun 08, 2005 at 01:10:47PM +0100, Tethys wrote:
> We use AIDE to verify that the machine is in a consistent, approved
> state. Any changes are detected, and a simple web front end lets us
> add annotations to explain the reasons for the change (which should
> tie in to a change request number, although they don't always do so
> yet). As for who's made the change, you'd need process accounting or
> something like systrace/dtrace to be able to see that sort of information,
> which starts getting pretty invasive and potentially harms performance.
Both Red Hat and SUSE kernels include system wide auditing capabilties,
primarily to enable CAL-3 security certification. If you are reasonably
restrictive about what files / processes you mark as being audited
then the performance hit isn't prohibitively high.
The original LAUS implementation was pretty hairy, but for 2.6 kernel
in RHEL-4, a new impl was written to work in conjunction with SELinux
framework, and is actually part of upstream kernel tree. So, if you've
got particular file & processes you're interested in auditing it may
well be worth taking a look at these capabilties.
Regards,
Dan.
--
|=- GPG key: http://www.berrange.com/~dan/gpgkey.txt -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list