[rt-users] How can I detect unauthorized changes to RT?

der Mouse mouse at Rodents.Montreal.QC.CA
Wed Mar 29 14:20:44 EST 2006


> From: "Marc Tisseur" <marct at alcor.concordia.ca>

Alcor?  Hey, I know that host!  Small world.

> I want to monitor my RT installation for unauthorized changes.  I can
> use an intrusion tool to detect changes to the files (AIDE, Tripwire,
> etc), but I'm interested in changes to objects that are stored in the
> database itself (e.g. global scrips, templates, custom fields).

You could grab copies of the relevant database entries with stuff like
(assuming mysql, which is what the rt instance I've been working with
uses; I assume other databases have similar capabilities)

echo 'select Scrips.* from Scrips' | mysql rt > scrips.dump

and then monitor scrips.dump with your Tripwire or moral equivalent.

> I suppose I could keep a reference copy of the various tables I'm
> interested in monitoring, and periodically compare the lastupdated
> field values; If something doesn't match, launch additional queries
> to find who made the change (lastupdatedby) and what was changed
> (diffs on the key data fields like custompreparecode).  This sounds
> _VERY_ CPU intensive however.

It actually doesn't sound all that bad to me.  If you use it on tables
like Tickets or Transactions, yes, it will be expensive, but I assume
you're more interested in things like Scrips or Users.  I would suggest
trying it rather than assuming it will be too cpu-hungry.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



More information about the rt-users mailing list