UNIX audit question

Discussion in 'OT Technology' started by trouphaz, Jan 16, 2009.

  1. trouphaz

    trouphaz New Member

    Joined:
    Sep 22, 2003
    Messages:
    2,666
    Likes Received:
    0
    For audit, I'm being asked to provide details on whatever changes specific users make when they vi select files. I've done some reading on Solaris auditing and it sounds like the amount of information that this could generate would be insane because it would track all file writes and not just the handful of edits that happen fairly infrequently.
    I'm considering writing a wrapper for vi that they would use that would automatically copy the file out of place before editing and then finish by doing a diff and emailing someone the changes after they were done editing, but that'll be a pain in the nuts to force people to use and may have all kinds of issues with other commands that use vi (like hitting v while running less).

    Another thought was Tripwire, but I'm not all that familiar with it. I know it is supposed to be configurable to monitor select files for changes, but does anyone know if it'll actually track what those changes are?
     
  2. crontab

    crontab (uid = 0)

    Joined:
    Nov 14, 2000
    Messages:
    23,439
    Likes Received:
    11
    we use tripwire and it tracks all the changes within the file(s), ascii files at least. shows a different sum for binaries.

    we also use RCS for our version-ing control of system or critical files. i some some developers use this as well. clearcase is another robust app.

    are these people making changes without auth or something?
     
  3. trouphaz

    trouphaz New Member

    Joined:
    Sep 22, 2003
    Messages:
    2,666
    Likes Received:
    0
    no to changes without authorization. we just got our asses handed to us by internal audit (well, audit by our parent company) and i think they're being overly cautious. we have most files changed through a whole change control procedure, but some are either changed too often or the changes are so minor that they just edit the files in place. now, we log all of the commands, so someone brought up that we know what commands the users are running, but not what they're actually doing when they edit certain files.

    the change control procedure involves approvals, testing in dev, uat and then prod and all files coming through version control systems. one set of files is updated multiple times a day and the other set is changed a couple of times a year where they'll change a 2 to a 3 an then back when they update a schedule for daylight savings time. so, the whole change control process is overly cumbersome for these instances.


    thanks for the info on tripwire. i forgot about clearcase as well. i've heard of it, but didn't have much info about it.
     

Share This Page