[ previous ] [ next ] [ threads ]
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  Gordon Day <gordon at deepcovelabs dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Strongly desired audit feature
 Date:  Fri, 24 Jun 2005 00:11:04 -0700
Gordon Day wrote:
> I do agree that this is one way to accomplish keeping track of your 
> change history.  But what I want to see is something that you don't have 
> to "remember" to do.

You can wrap that edit behavior in scripts, if you like.

> In particular, I can't necessarily trust myself or my co-workers to
> always remember to create the log.  The point of an audit trail is
> that you can't not do it.

I agree about the "remember" stuff.  Sysadms in large, block-down shops 
such as ours (and I'm the lock downer) have to daily fight the 
convenience of a GUI or web-based interface with auditability.

Any Unix sysadm by now has faced the "useradd" vs the "vi /etc/passwd" 
collision, especially in an environment where there are more than one 
shift of admins.

For example, for us to make a change on our external nameserver needs 
something like this (names not too very obscured):
Update exterior name server (ecibsdm)
     su - root
     cd /usr/chroot/named/etc/namedb/zones/master
     sudo -u bind co -l db.foo.com
     vi db.foo.com
       (be sure to update serial number)
     sudo -u bind ci -u db.foo.com
     rndc reload
     aide --check
     aide --init
     cd /var/db/aide/databases/
     mv aide.db.new aide.db
Then update the other exterior name server
   scp ecibsd:db.foo.com System@bsds:/var/tmp
login to System
   su - root
   cd /usr/chroot/named/etc/namedb/zones/master
   cp /var/tmp/db.eldocomp.com .
   rm /var/tmp/db.eldocomp.com
   rndc reload
   aide --init
   cd /var/db/aide/database
   mv aide.db.new aide.db

All of these steps are wrapped in scripts for the PFY to use.

I'm saying, "Yes, it would be nice if the m0n0 project supported audit 
trails, but unless you want to contribute the patches to the project, 
there are ways to get the same functionality.

Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228