On 06/18/2015 11:22 PM, Lew Wolfgang wrote:
Perhaps I should have included the original requirement. Here it is:
"The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process."
If your audit system writes audit logs as archives - for example hourly, then you could manage to do this with attributes. The audit system writes the archive files in a archive directory and then sets the immutable flag: chattr +i archive_file Then you create 2 unix users and use sudo to give one the permission to alter the immutable flag by using chattr [+-]i /path/to/archive/* and the other one the permission to delete these files. root is still almighty.