Comments 5 Posted In Red Hat Enterprise Linux Tags red_hat_enterprise_linux Cryptographic mechanisms to protect the integrity of auditd files Latest response 2019-06-27T07:03:03+00:00 Has anyone thought about this and how can we use cryptographic mechanism to protect the integrity if auditd files on RHEL 7? Any suggestions would be appreciated. SG Started 2019-06-19T14:36:01+00:00 by Shisheer Guragain Pro 740 points Log in to join the conversation Responses Sort By Oldest Sort By Newest Active Contributor 260 points 19 June 2019 6:34 PM Christiaan van Aken Do you want to protect the files from being edited? Or do you want to have some kind of alert when the filed are changed? SG Pro 740 points 26 June 2019 4:40 PM Shisheer Guragain Hi Christiaan, Some type of alert when files are changed, but I can do that with tripwire. Trying to find the best solution. Thanks. Expert 898 points 23 June 2019 11:37 PM Dusan Baljevic Hi Shisheer, if I understand your question correctly, you want to ensure integrity of auditd files on RHEL 7. In other words, you want those logs to be free of any tampering? If that is the case, I can think of two simple solutions at short notice: a) Configure auditd to log events to remote servers that prevent any unathorized access. b) Configure tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire to monitor audit logs (or anything else for that matter). Note that the open files are useless to monitor because their digital signatures change dynamically every second... Once the AIDE db is created one can burn the binary config files and the AIDE database to any read-only medium to increase the integrity. For example: # mkisofs -V AIDE_DB`date +%F` -J -R -o AIDE.iso /AIDE-directory # cdrecord -v -eject AIDE.iso Regards, Dusan Baljevic (amateur radio VK2COT) SG Pro 740 points 26 June 2019 4:41 PM Shisheer Guragain Hi Dusan, Thanks for the input. Will be testing this. KD Pro 725 points 27 June 2019 7:03 AM Klaas Demter you can also sign/verify them with gpg. additionally you can encrypt them.