On Tue, Jun 16, 2009 at 12:52 AM, Domenico Viggiani <[email protected]>wrote:
> solarflow99 wrote:
> > I think it can be done with remote logging,
> > you can log everything to a network location.
> > I'm sure it can be done with available tools, if necessary.
>
> Main requirements are:
> 1- identifying users and not allowing "generic" login, both from network
> and
> consoles (and "remote" consoles)
> 2- protecting logs from tampering and archiving for 6 months
>
> For point 1):
>
> - I can use centralized login to LDAP/Active Directory (Red Hat provides it
> with standard tools) and allow network access only to "personal" accounts:
> can I specify users/groups in SSH config?
sounds like you need to refuse shell access? If you enable ldap, then all
services automatically use it, so it would still allow ssh access if sshd is
configured.
> - I can drop direct access to generic and applicative accounts by SSH
> ("root" is already not allowed by default)
> - users can gain access to applicative accounts by "su -"
>
> but some problems still remains:
>
> - how can I manage administrative accesses by console (both real consoles
> and remote consoles: iLO, VMware virtual consoles, etc)?
>
i'm not sure I really understand that part
>
> For point 2):
> - can I enable remote logging only for login/logout/wrong password events?
>
well, there is a file called /var/log/last and /var/log/lastb wish show only
this, I guess it just depends how much you really want to log.
>
>
> Thanks for clarifications
> --
> Domenico Viggiani
>
>
> _______________________________________________
> rhelv5-list mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/rhelv5-list
>
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
