Regulatory and corporate auditing requirements are becoming a way of business for organizations around the world. Even enterprises in industries, such as banking, insurance, health care, and government, that have traditionally high compliance requirements are seeing those demands increase. That is why SUSE Manager was built with compliance in mind and why we have added to it the new Audit Log Keeper.
The Audit Log Keeper enables you to easily maintain compliance with even the most rigorous regulatory requirements and corporate policies. It provides a comprehensive and simplified method for tracking and reporting changes to your managed servers by offering a consolidated log of all actions initiated using the SUSE Manager web interface, command line client, or API. The detailed record delivered by the Audit Log Keeper includes not only the operation performed, but also the user responsible for the change, the date, and the time.
With the addition of the Audit Log Keeper, SUSE Manager ensures that you have all of the necessary information about your systems to quickly demonstrate your compliance when the inevitable audit rolls around.
Now let’s get you started on the road to better compliance.
The Audit Log Keeper framework consists of three basic building blocks:
- The Audit Log Keeper itself: a buffer for incoming log messages that makes sure logs are delivered reliably to a local or remote backend.
- Schema validators: you need at least one, and currently, there is one for SUSE Manager (called AuditLogKeeperSpacewalk). The schema validators make sure that only the desired log entries are recorded and that they are in the right format. Apart from using this framework in SUSE Manager, you could also write your own validator plugins in Java and use Audit Log Keeper for your applications’ audit logging needs.
- Output plugins: current options include logging to STDOUT, syslog, SQL databases, or XML files. Several output plugins can be served at the same time. For example, you may want to use the syslog for quick alerting, but keep a tamper-proof copy as an XML file that is archived as read-only, as well as have a searchable version in a relational database.
On SUSE Manager you will need to install the Audit Log Keeper first (do this as root or use sudo):
[zypper install auditlog-keeper]
Then you install the SUSE Manager validator plugin:
[zypper install auditlog-keeper-spacewalk-validator]
After this, install at least one plugin (unless STDOUT is all you need). Let’s use the syslog plugin here:
[zypper install auditlog-keeper-syslog]
Now you can start the service:
To make sure the log keeper starts automatically, issue the following command:
[chkconfig auditlog-keeper on]
This enables Audit Log Keeper in run levels 3 and 5:
This will open the configuration file “/etc/auditlog-keeper.conf” in your default editor. But, if you are fine with using the syslog backend it is already pre-configured.
However, you should definitely change the “backend.db.auth.user” and “backend.db.auth.password”.
This can be a password that is hard to remember because it does not need to be entered manually.
If you are using the syslog output plugin and haven’t changed your default settings, all messages from the Audit Log Keeper will end up in your local “/var/log/messages” file. For secure and tamper-proof logging you may want to change this to a remote logging location.
Finally, you need to tell SUSE Manager to use logging:
In “/etc/rhn/rhn.conf” add a line that says:
[audit.enabled = 1]
Restart SUSE Manager after that change and you are ready to prove to your auditors that you are keeping a detailed log of all changes to your systems from end-to-end. And if you want more information or additional configuration options you can check-out the Audit Log Keeper wiki page.