Score:1

RHEL 8: Administrator vs. Auditor role

th flag

On RHEL 8, are there prepared functions, methods, processes or tools to implement administrator/operator and auditor roles in the following way:

  • An administrator/operator should be able to do almost everything except modifying/deleting logs
  • An auditor should be able to read everything, and to delete logs

On my research, I did not find any hints or best practices for this concept. But I imagine, that this might be a common requirement for systems that shall comply with ISO 27001. So I am whondering, if there are already maintainable solutions to implpement such roles on RHEL or if it can be accomplished at all or if this is (currently) just not feasible on RHEL.

Score:1
us flag
Rob

AFAIK there are some ready made provisions for privilege separation in SELinux in Multi Level Security mode here but nothing immediately useful and practical.

When you need to protect and tamperproof log files and audit trails against the trusted administrators on a server the solution is almost always either:

  • copy those log files and audit trails to a remote location where those administrators do not have access at all or only limited access and where they are not trusted users.
    In other words: the auditor sets up and maintains a central syslog server and/or for example a Splunk/ELK Stack or similar where the other administrators don't get access to (or will only have user level access) and therefore won't be able to delete/modify the records. All (critical) application logs get copied there.
  • write those logs to WORM media - although that may have been much more popular in the past than it is today
stackprotector avatar
th flag
Off-loading the log files is indeed a good workaround before implementing sth. complex/hard to maintain.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.