[rt-users] How can I detect unauthorized changes to RT?

Marc Tisseur marct at alcor.concordia.ca
Wed Mar 29 12:29:39 EST 2006


Greetings,

I want to monitor my RT installation for unauthorized changes. I can use an
intrusion tool to detect changes to the files (AIDE, Tripwire, etc), but I'm
interested in changes to objects that are stored in the database itself
(e.g. global scrips, templates, custom fields).

I suppose I could keep a reference copy of the various tables I'm interested
in monitoring, and periodically compare the lastupdated field values; If
something doesn't match, launch additional queries to find who made the
change (lastupdatedby) and what was changed (diffs on the key data fields
like custompreparecode). This sounds _VERY_ CPU intensive however.
Alternatively, I might be able to use database trigger functions but I'd
prefer not to start messing with the DB schema.

Has anyone implemented a solution for a similar requirement, or can offer
better suggestions?


Regards,

Marc Tisseur
Manager, Desktop Support Group and Helpline - IITS
Concordia University
Montreal, Canada




More information about the rt-users mailing list