Gordon Day wrote:
> I do agree that this is one way to accomplish keeping track of your
> change history. But what I want to see is something that you don't have
> to "remember" to do.
You can wrap that edit behavior in scripts, if you like.
> In particular, I can't necessarily trust myself or my co-workers to
> always remember to create the log. The point of an audit trail is
> that you can't not do it.
I agree about the "remember" stuff. Sysadms in large, block-down shops
such as ours (and I'm the lock downer) have to daily fight the
convenience of a GUI or web-based interface with auditability.
Any Unix sysadm by now has faced the "useradd" vs the "vi /etc/passwd"
collision, especially in an environment where there are more than one
shift of admins.
For example, for us to make a change on our external nameserver needs
something like this (names not too very obscured):
Update exterior name server (ecibsdm)
su - root
cd /usr/chroot/named/etc/namedb/zones/master
sudo -u bind co -l db.foo.com
vi db.foo.com
(be sure to update serial number)
sudo -u bind ci -u db.foo.com
rndc reload
aide --check
aide --init
cd /var/db/aide/databases/
mv aide.db.new aide.db
exit
Then update the other exterior name server
scp ecibsd:db.foo.com System@bsds:/var/tmp
login to System
su - root
cd /usr/chroot/named/etc/namedb/zones/master
cp /var/tmp/db.eldocomp.com .
rm /var/tmp/db.eldocomp.com
rndc reload
aide --init
cd /var/db/aide/database
mv aide.db.new aide.db
All of these steps are wrapped in scripts for the PFY to use.
I'm saying, "Yes, it would be nice if the m0n0 project supported audit
trails, but unless you want to contribute the patches to the project,
there are ways to get the same functionality.
-crl
--
Chad R. Larson (CRL22) chad at eldocomp dot com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228 | 