RE: audit review question
Steve, thanks for your replies to all of my questions.
Can you please send me a walk through document for trying to send the 6 workstations and 1
servers audit-data into the same directory structure? Something that will definitely
work, please?
I have a VM environment that I can make changes on and then test, so I would be very
grateful for any cooperation I could get.
My intent is to have all the machines log data to the same machine. I want the system
security auditors to be able to use the typical aureport and ausearch commands (that I
know you write).
So, I have to ask, can this be done, and the audit logs be parsed on a per
hostname-basis?
Can they be stored in directories that are /var/log/audit/YYYY/MM/DD/Hostname_audit.log
format - or is that inadvisable considering the intention to continue to support/use the
two commands: aureport and ausearch? What would you advise - please?
I am aware of the /etc/audisp directory, which I am sure is associated with the audispd
daemon, but I don't have the foggiest clue of how to configure them together.
It is only because of stumbling around for the last 2 years (and very feverishly the last
2 days) that I have learned how to use the auditctl and aureport commands. I want to do
this correctly, and I want to do it consistently with "industry standards" so
that I can continue to get support from people like the folks in this 'forum.'
Thanks, for any advice and useful links you can share. I am certain that as you provide
them and I read them it will force me to ask even more questions. I hope you don't
mind.
Warron French, MBA, SCSA
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, April 28, 2016 11:10 AM
To: linux-audit(a)redhat.com
Cc: Warron S French <warron.s.french(a)aero.org>
Subject: Re: audit review question
On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
I have a scenario that I need a little help understanding how to work
through in an isolated environment of 1 server and 6 workstations (7
machines). The 7 machines are all running CentOS-6.7 and selinux =
disabled.
All 6 workstations are configured through rsyslog.conf to send audit
data to the server, and I have (but apparently not successfully
configured general system messages to also report back to the same
server). I am using the conventional filesystems for each, but the
directory structure below is different.
Rsyslog will likely mangle the audit lines such that its no longer in the native audit
format. I don't know if its headers can be stripped as it writes to disk.
For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log
the
directory per day and per month and per year are auto created
(miraculously). For system messages, and I know this isn't the forum
to get help on this so I will only list the directory is -
/var/log/2016/04/27/wk{1..6}_syslog.log.
Now that I am doing this, and successfully, I want to test that the
security auditors will be able to do their job properly, as well as I
am trying to comply with some security constraint that requires me to
centralize the logdata into a single server (hence the major driver for all of this).
I know that there is the aureport and ausearch command, but I am not
sure that I am able to figure out the correct command-line structure
to test that audit-data is getting into the appropriate file, on each
day of the year, on a per serverName basis.
If a real-world situation occurred that the Security Auditors were
asking to find out how many machines did userX attempt to log into,
what would be the appropriate command for the example audit directory
I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because
I am not sure I am running the command with the appropriate switches
to scan the files properly?
I used:
* aureport -if /var/log/audit/2016/04/27/ and it didn't like the
input,
Probably due to the header it inserts to each record. But this is how you should do it.
* aureport -if /var/log/audit/2016/04/27/* and it didn't
like the
input, am I using the command improperly?
You shouldn't need the '*'. If the passed option is a dir, then it
automatically looks for more files. But note that the native rotation is
audit.log <- newest
audit.log.1
audit.log.2
audit.log.3 <- oldest
rsyslog would also have to use this scheme. I have never investigated if it
does. That does not means that a wrapper script couldn't be made to walk the
files in rsyslog's order and send them to aureport via stdin. You could
probably even add a sed command to strip the rsyslog headers from each record.
Not the best answer, but once it hits rsyslog, it can change the record in
ways that unknown to me.
-Steve