[rt-users] How can I detect unauthorized changes to RT?
John Rouillard
rouilj at renesys.com
Thu Mar 30 09:42:21 EST 2006
On Wed, Mar 29, 2006 at 08:16:51PM -0500, Jesse Vincent wrote:
>
>
>
> On Wed, Mar 29, 2006 at 12:29:39PM -0500, Marc Tisseur wrote:
> > Greetings,
> >
> > I want to monitor my RT installation for unauthorized changes. I
> > can use an intrusion tool to detect changes to the files (AIDE,
> > Tripwire, etc), but I'm interested in changes to objects that are
> > stored in the database itself (e.g. global scrips, templates,
> > custom fields).
> >
> > Has anyone implemented a solution for a similar requirement, or
> > can offer better suggestions?
> >
>
> I've not seen this done before, but the suggestion that you dump the
> relevant tables and look for changes seems sane. Whatever you end up
> with, I'd be thrilled if you could document it on
> http://wiki.bestpractical.com
Another possibility might be database triggers on update for the
tables you want to watch. Don't know well that works with mysql but
it worked fine for a similar problem on oracle that had nothing to do
with RT. They used a trigger to update an audit table that was scanned
on a regular basis.
I don't remember if the trigger copied the original entry to an
alternate table or not to allow reverting the change. I remember it
being discussed but not the outcome.
--
-- rouilj
John Rouillard
System Administrator
Renesys Corporation
603-643-9300 x 111
More information about the rt-users
mailing list