Re: audit-tools and SUDO
On Tuesday, May 10, 2016 10:52:21 PM Burn Alting wrote:
On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote:
> Good morning everyone,
>
>
>
> I am working on an environment where I have managed to get centralized
> audit logging to work – roughly 95% properly on six (6) CentOS-6.7
> workstations and a single (1) CentOS-6.7 server.
>
>
>
> I have two problems though; and they seem somewhat minor:
>
>
>
> 1. The audit events being captured don’t seem to be tied to any
> given node (so that I can perform ausearch --node hostName, or
> aureport), that’s the first issue.
What have you set the configuration parameter 'name_format'
in /etc/audit/auditd.conf to?
One assumes you may want to set
name_format = fqd
or
name_format = hostname
After the change on each host, don't forget to reload the configuration
with either a sighup on the auditd process or just restart the service.
This would set it for the local logs. And you would need to do this on the
server that is aggregating the logs. (I think I forgot to mention that last
week.) But for the workstations, you have to set name_format in audispd.conf.
> 2. The second issue is that I need to configure sudo to
enable my
> Special Security Team with the ability to perform their duties using
> the aureport and the ausearch commands, but I get an error that
> appears to be based on permissions.
I recommend you show the command and resultant error in situations like
this. That way we can provide a more informed response.
One approach some people take is to use the log_group setting in auditd.conf.
If there is a group that the security people belong to that others don't, then
using that group name for log_group this is the easiest way and exactly why
this option exists.
-Steve
> I am hoping that you guys can steer me in the correct direction;
and I
> can update my documentation to be even a little more thorough.
>
> Scenario2, might be more of a membership issue now that I think about
> it; so please disregard as I think this is some weird 389-ds issue.
>
> I am hoping though that someone can suggest a reason why, when I look
> directly at the content of the /var/log/audit/audit.log I am not see
> any references to node=hostname1, hostname2 .. hostnameN? Maybe I did
> misconfigure something, but I followed my own instructions to the “T”
> and they didn’t produce this issue.
>
>
>
>
>
>
>
> Thank you in advance for your precious time sincerely,
>
>
>
> Warron French, MBA, SCSA
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit