Linked by Dedoimedo on Mon 15th Nov 2010 15:46 UTC
Linux How do you audit your Linux environment? How do you track after changes to your files? What kind of processes are running on your system at any given moment? What uses the most resources? Valid questions, all. Special contributor Dedoimedo gives us the straight scoop on "audit.". Editor's note: Call for submissions: are you an OS expert? Can you provide some special insight, some tips and tricks, or just plain illuminate an obscure feature in your OS of choice? We'd like to publish it.
Order by: Score:
Comment by Calipso
by Calipso on Mon 15th Nov 2010 20:57 UTC
Calipso
Member since:
2007-03-13

great article!
I'm sure this will come in handy.
Definitely bookmarking this one.

Reply Score: 5

Finally, a GOOD article!
by Quake on Mon 15th Nov 2010 21:02 UTC
Quake
Member since:
2005-10-14

Finally, an "OS" article on OSnews worthy of bookmarking it. We need more of these kind of articles.

Reply Score: 5

RE: Finally, a GOOD article!
by Thom_Holwerda on Mon 15th Nov 2010 21:53 UTC in reply to "Finally, a GOOD article!"
Thom_Holwerda Member since:
2005-06-29

Finally, an "OS" article on OSnews worthy of bookmarking it. We need more of these kind of articles.


We sure do. I've got another great one lined up about NTFS from someone, great stuff. Very long, so it'll be a bit of work to get ready, but it's great.

Reply Score: 3

Maybe I'm missing the point...
by Vanders on Mon 15th Nov 2010 21:34 UTC
Vanders
Member since:
2005-07-06

An alternative is configuration management, like cfengine. This could work, too. You will have a static baseline to revert to, deleting any unwanted changes to your files. However, you will not know, in between period runs, who made changes to your files - or why.


Maybe it's just me being bloody minded, but why should I care if someone made a local change to a file managed by my configuration management system and the change gets over written? That's the entire point of configuration management such as cfengine or Puppet. The configuration management system is canonical. If someone attempts to make a local change outside of configuration management:

a) They're Doing It Wrong and therefore shouldn't be making such a change anyway.
b) I want their changes to be overwritten due to the above.

Audit tools such as tripwire and audit are useful for finding potentially malicious changes to key system files, but I don't see why you'd try to use something like this as a replacement for something like Puppet. It's Apples and Oranges.

Reply Score: 3

Soulbender Member since:
2005-08-18

Yep. cfengine/puppet and audit/tripwire complements eachother, they're not mutually exclusive.
configuration management does many things audit doesn't, like keeping a history of changes so that you can always rollback to something that worked. cfg management also tells you exactly what change was done, not just that something was done.

Edited 2010-11-15 23:35 UTC

Reply Score: 3

Damn fine
by vodoomoth on Tue 16th Nov 2010 11:54 UTC
vodoomoth
Member since:
2010-03-30

This is indeed a fine article... first time I ever voted an article up here. I don't use Linux at all but I read the thing. Clear, focused, to the point. Well done!
Now I'm eagerly waiting for the NTFS article.

Reply Score: 2

audit not so great
by sorpigal on Thu 18th Nov 2010 12:39 UTC
sorpigal
Member since:
2005-11-02

The problem with Linux auditd, if there can be said to be one, is that it is different and (IMO) needlessly different from the Solaris/FreeBSD auditd. Could have been the same but isn't. Much like pam differences, but with less need, this just makes switching between systems a little more annoying and frustrating.

Reply Score: 2