Cryptographic mechanisms to protect the integrity of auditd files

Latest response

Has anyone thought about this and how can we use cryptographic mechanism to protect the integrity if auditd files on RHEL 7? Any suggestions would be appreciated.

Responses

Do you want to protect the files from being edited? Or do you want to have some kind of alert when the filed are changed?

Hi Christiaan, Some type of alert when files are changed, but I can do that with tripwire. Trying to find the best solution. Thanks.

Hi Shisheer,

if I understand your question correctly, you want to ensure integrity of auditd files on RHEL 7. In other words, you want those logs to be free of any tampering?

If that is the case, I can think of two simple solutions at short notice:

a) Configure auditd to log events to remote servers that prevent any unathorized access.

b) Configure tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire to monitor audit logs (or anything else for that matter). Note that the open files are useless to monitor because their digital signatures change dynamically every second...

Once the AIDE db is created one can burn the binary config files and the AIDE database to any read-only medium to increase the integrity. For example:

# mkisofs -V AIDE_DB`date +%F` -J -R -o AIDE.iso /AIDE-directory

# cdrecord -v -eject AIDE.iso

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hi Dusan, Thanks for the input. Will be testing this.

you can also sign/verify them with gpg. additionally you can encrypt them.