RE: audit-tools and SUDO
Hello Burn, thanks for your inputs.
Oddly enough in my lab, where this is working as expected, the name_format = NONE; and
that is on my test server (server1), and also in both test clients (client1 and client2).
However, in my production environment, I would have to double check the setting
/etc/audit/auditd.conf::name_format and see what it is set to because my instructions
don't mention it; based on the email interaction with Steve Grubb.
Thanks for the prompt reply Burn.
Warron French, MBA, SCSA
-----Original Message-----
From: Burn Alting [mailto:burn@swtf.dyndns.org]
Sent: Tuesday, May 10, 2016 8:52 AM
To: Warron S French <warron.s.french(a)aero.org>
Cc: linux-audit(a)redhat.com
Subject: Re: audit-tools and SUDO
On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote:
Good morning everyone,
I am working on an environment where I have managed to get centralized
audit logging to work – roughly 95% properly on six (6) CentOS-6.7
workstations and a single (1) CentOS-6.7 server.
I have two problems though; and they seem somewhat minor:
1. The audit events being captured don’t seem to be tied to any
given node (so that I can perform ausearch --node hostName, or
aureport), that’s the first issue.
What have you set the configuration parameter 'name_format'
in /etc/audit/auditd.conf to?
One assumes you may want to set
name_format = fqd
or
name_format = hostname
After the change on each host, don't forget to reload the configuration with either a
sighup on the auditd process or just restart the service.
2. The second issue is that I need to configure sudo to enable my
Special Security Team with the ability to perform their duties using
the aureport and the ausearch commands, but I get an error that
appears to be based on permissions.
I recommend you show the command and resultant error in situations like this. That
way we can provide a more informed response.
I am hoping that you guys can steer me in the correct direction; and I
can update my documentation to be even a little more thorough.
Scenario2, might be more of a membership issue now that I think about
it; so please disregard as I think this is some weird 389-ds issue.
I am hoping though that someone can suggest a reason why, when I look
directly at the content of the /var/log/audit/audit.log I am not see
any references to node=hostname1, hostname2 .. hostnameN? Maybe I did
misconfigure something, but I followed my own instructions to the “T”
and they didn’t produce this issue.
Thank you in advance for your precious time sincerely,
Warron French, MBA, SCSA
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit