On RHEL 8, are there prepared functions, methods, processes or tools to implement administrator/operator and auditor roles in the following way:
- An administrator/operator should be able to do almost everything except modifying/deleting logs
- An auditor should be able to read everything, and to delete logs
On my research, I did not find any hints or best practices for this concept. But I imagine, that this might be a common requirement for systems that shall comply with ISO 27001. So I am whondering, if there are already maintainable solutions to implpement such roles on RHEL or if it can be accomplished at all or if this is (currently) just not feasible on RHEL.
AFAIK there are some ready made provisions for privilege separation in SELinux in Multi Level Security mode here but nothing immediately useful and practical.
When you need to protect and tamperproof log files and audit trails against the trusted administrators on a server the solution is almost always either:
In other words: the auditor sets up and maintains a central syslog server and/or for example a Splunk/ELK Stack or similar where the other administrators don't get access to (or will only have user level access) and therefore won't be able to delete/modify the records. All (critical) application logs get copied there.