On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote:
Secondary question: the reason for what I'm working on is that we
want to
be able to audit what folks do as root on our production hosts. We're not
a bank, and a perfect solution is not required, but we do need to be able
to take reasonable steps to find out if people with access are doing bad
things.
Is this setup reasonable for that purpose?
Yes. You would want to do two things, first enable tty auditing. This is done
by the pam_tty_audit module. Second consider adding the 32-power-abuse.rules
to your rules.
I know that's a loaded question
and I can answer any questions anyone has that are necessary to figure this
out. I am not asking so much about rules, but about architecture: logging
according to whatever rules we set up, to the local audit.log and
immediately to a remote using audisp-remote, so the log can't be easily
manipulated.
Remote logging is the defence against local log manipulation.
-Steve
On Wed, Jul 13, 2016 at 8:57 AM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
> On Wednesday, July 13, 2016 8:47:58 AM EDT Chris Nandor wrote:
> > Hi, I had some odd behavior to report.
> >
> > I am running ubuntu 12.04. Using the default auditd and audispd-plugins
> > packages for my release, I was able to get logs sent to local syslog and
>
> to
>
> > a remote auditd server (same basic configuration), but the entries were
> > being buffered somewhere (I think on the client side), and if the server
> > died reconnections didn't happen.
> >
> > So, I wanted a more recent version, so I compiled audit-userspace from
>
> the
>
> > github src mirror,* trunk@1341.
>
> The github repo is a mirror of svn and is not always up to date. The issue
> you
> are seeing is fixed in the next commit after the mirror stops.
>
>
https://fedorahosted.org/audit/changeset/1342
>
> if you want the lastest you can:
>
> svn co
http://svn.fedorahosted.org/svn/audit/trunk
>
> and then generate from there. I am planning to release audit-2.6.5
> tomorrow.
> So, if anyone can test the current code, I'd really appreciate it. I'm
> hoping
> the next release settles down the audit code.
>
> > When I did, I got some weird results. For example, I expected got
> >
> > something like this in my audit.log:
> >
node=host.example.com type=CWD msg=audit(1468363871.644:3279856):
> > cwd="/etc/audisp"
> >
> > And that was as expected. In syslog, I expected to get:
> > Jul 13 08:34:53 host audispd:
node=host.loc.example.com type=CWD
> >
> > msg=audit(1468363871.644:3279856): cwd="/etc/audisp"
> >
> > But instead, I got:
> > Jul 13 08:34:53 host audispd: type=CWD
msg=node=host.loc.example.com
> >
> > type=CWD msg=audit(1468363871.644
> >
> > As you can see, the whole thing was prepended with "type=CWD msg=",
and
>
> the
>
> > line was truncated. Similarly, on the remote host, I got the same
thing:
> > type=CWD
msg=node=host.loc.example.com type=CWD
>
> msg=audit(1468363871.644
>
> > I noticed that the most recent version of the src for ubuntu was 2.4.5,
>
> so
>
> > I grabbed the src tarball from packages.ubuntu and built it, and now
> > everything looks fine. The exact same line I see in my audit.log shows
>
> up
>
> > in the remote audit.log, with no buffering. When I restart the remote
> > auditd server or client, it reconnects. syslog has same entry
> > (prepended
> > with the timestamp etc.). Everything seems happy now.
> >
> >
> > *For some reason I had to define `CC_FOR_BUILD=gcc` in my shell when I
>
> ran
>
> > `make` from the svn/git src. I did not require this when building 2.4.5
> > from the ubuntu src.
>
> I think that should have been detected during configure.
>
> -Steve