[rt-users] How can I detect unauthorized changes to RT?

John Rouillard rouilj at renesys.com
Thu Mar 30 09:42:21 EST 2006


On Wed, Mar 29, 2006 at 08:16:51PM -0500, Jesse Vincent wrote:
> 
> 
> 
> On Wed, Mar 29, 2006 at 12:29:39PM -0500, Marc Tisseur wrote:
> > Greetings,
> > 
> > I want to monitor my RT installation for unauthorized changes. I
> > can use an intrusion tool to detect changes to the files (AIDE,
> > Tripwire, etc), but I'm interested in changes to objects that are
> > stored in the database itself (e.g. global scrips, templates,
> > custom fields).
> > 
> > Has anyone implemented a solution for a similar requirement, or
> > can offer better suggestions?
> > 
> 
> I've not seen this done before, but the suggestion that you dump the
> relevant tables and look for changes seems sane. Whatever you end up
> with, I'd be thrilled if you could document it on
> http://wiki.bestpractical.com

Another possibility might be database triggers on update for the
tables you want to watch.  Don't know well that works with mysql but
it worked fine for a similar problem on oracle that had nothing to do
with RT. They used a trigger to update an audit table that was scanned
on a regular basis.

I don't remember if the trigger copied the original entry to an
alternate table or not to allow reverting the change. I remember it
being discussed but not the outcome.

-- 
				-- rouilj

John Rouillard
System Administrator
Renesys Corporation
603-643-9300 x 111



More information about the rt-users mailing list