[BBLISA] audit root/sudo users for RHEL 6 server

[John Stoffel]

John> What is the best way to provide proof to an audit person who
John> needs to know all the root/sudo users for  a RHEL 6 server?

It depends on what they take as "proof" of your audit process.  Our
current auditors want screen shots of files with a clock in the
corner, which makes *zero* sense, so we're working to educate them and
to put a better system in place.

It might be that tripwire is the possible solution, started off first
in a very targeted way.  

John> (I am new at this company, and don't have access to all their resources) 

John> We can provide the /etc/passwd   &   /etc/sudoers file   (the
John> auditor may not know how to read these files)

The probably don't *care* what the files say, but more "what is your
process to monitor and keep track of changes?". And of course
management of adding and removing acounts.

John> We also have the RedHat  Identity Management  running here, but
John> I am not familiar with this tool.

Never used it.  Auditing is documenting a process and having controls
and being able to show you use them and of course can justify them.

John