Re: AUDIT changes - true sense of security
On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
I have an issue, I believe, and I am asking for help on how to
properly
address/assess it.
I have been given guidance in support of auditing on CentOS-6.x systems:
1. To place various watch (-w) and action (-a) rules into place.
2. Make certain the configurations are immutable.
Sometimes I have to add more rules, so I do that. However, I am not
certain if the rules are working properly, and I do know that I have broken
the auditd init-scripts on my systems a few times, and just commented out
the offending audit controls to work around/fix this very type of problem.
While you are experimenting, do not put in the -e 2 configuration option.
What I need to know is, since the configurations have to be immutable ( with
the -e 2) how can I properly start the audit service, and without any
inkling of a doubt be certain that the rules are in place and are
functioning properly?
There is a rule listing command, -l, that will dump what the kernel has
loaded. There is also a status command, -s, that will tell you if audit is
enabled. If the rules are loaded and audit is enabled, its working.
Also, being a total novice, how can I test/trigger audit log actions
on
watch and action rules to see that the rules are configured properly?
If its a watch, then accessing the file and running ausearch should do it. If
you have a syscall rule, then you have to trigger the syscall either by using
a program or creating one.
Finally, is there a tool that will do a sanity check on the
audit.rules file?
auditctl reports any problems that it sees with the rules.
Or is the only option to attempt to restart the auditd service, and
think
"It started, it worked!" is acceptable?
List the rules and status the audit subsystem.
-Steve