RE: audit review question

Steve, thanks for your replies to all of my questions. Can you please send me a walk through document for trying to send the 6 workstations and 1 servers audit-data into the same directory structure? Something that will definitely work, please? I have a VM environment that I can make changes on and then test, so I would be very grateful for any cooperation I could get. My intent is to have all the machines log data to the same machine. I want the system security auditors to be able to use the typical aureport and ausearch commands (that I know you write). So, I have to ask, can this be done, and the audit logs be parsed on a per hostname-basis? Can they be stored in directories that are /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that inadvisable considering the intention to continue to support/use the two commands: aureport and ausearch? What would you advise - please?

I am aware of the /etc/audisp directory, which I am sure is associated with the audispd daemon, but I don't have the foggiest clue of how to configure them together.

It is only because of stumbling around for the last 2 years (and very feverishly the last 2 days) that I have learned how to use the auditctl and aureport commands. I want to do this correctly, and I want to do it consistently with "industry standards" so that I can continue to get support from people like the folks in this 'forum.'

Thanks, for any advice and useful links you can share. I am certain that as you provide them and I read them it will force me to ask even more questions. I hope you don't mind. Warron French, MBA, SCSA -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Thursday, April 28, 2016 11:10 AM To: linux-audit(a)redhat.com Cc: Warron S French <warron.s.french(a)aero.org&gt; Subject: Re: audit review question On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote: > I have a scenario that I need a little help understanding how to work > through in an isolated environment of 1 server and 6 workstations (7 > machines). The 7 machines are all running CentOS-6.7 and selinux = > disabled. > > All 6 workstations are configured through rsyslog.conf to send audit > data to the server, and I have (but apparently not successfully > configured general system messages to also report back to the same > server). I am using the conventional filesystems for each, but the > directory structure below is different. Rsyslog will likely mangle the audit lines such that its no longer in the native audit format. I don't know if its headers can be stripped as it writes to disk. > For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the > directory per day and per month and per year are auto created > (miraculously). For system messages, and I know this isn't the forum > to get help on this so I will only list the directory is - > /var/log/2016/04/27/wk{1..6}_syslog.log. > > Now that I am doing this, and successfully, I want to test that the > security auditors will be able to do their job properly, as well as I > am trying to comply with some security constraint that requires me to > centralize the logdata into a single server (hence the major driver for > all of this). > > I know that there is the aureport and ausearch command, but I am not > sure that I am able to figure out the correct command-line structure > to test that audit-data is getting into the appropriate file, on each > day of the year, on a per serverName basis. > > If a real-world situation occurred that the Security Auditors were > asking to find out how many machines did userX attempt to log into, > what would be the appropriate command for the example audit directory > I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because > I am not sure I am running the command with the appropriate switches > to scan the files properly? > > I used: > > * aureport -if /var/log/audit/2016/04/27/ and it didn't like the > input, Probably due to the header it inserts to each record. But this is how you should do it. > * aureport -if /var/log/audit/2016/04/27/* and it didn't like the > input, am I using the command improperly? You shouldn't need the '*'. If the passed option is a dir, then it automatically looks for more files. But note that the native rotation is audit.log <- newest audit.log.1 audit.log.2 audit.log.3 <- oldest rsyslog would also have to use this scheme. I have never investigated if it does. That does not means that a wrapper script couldn't be made to walk the files in rsyslog's order and send them to aureport via stdin. You could probably even add a sed command to strip the rsyslog headers from each record. Not the best answer, but once it hits rsyslog, it can change the record in ways that unknown to me. -Steve