RHEL6 and RHEL7 audispatch configurations
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
exact) we collaborated, for my benefit on how to configure audispatch on
"RHEL6" machines.
It seems that my instructions that I kept from 1 year ago are no longer
valid; there are new files in existence and some old ones no longer in
existence for both RHEL6 and RHEL7:
*[OLD]*
/etc/audisp/
*audisp-remote.conf,*
/etc/audisp/plugins.d/*au-remote.conf*
*[NEW]*
/etc/audisp/plugins.d/af_unix.conf
/etc/audisp/plugins.d/syslog.conf
Not sure how to find the appropriate man pages to configure this setup
properly. I am attaching what I wrote 1 year ago; and hope that you can
push me in the direction of a good walk-through for audispatch of the
modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).
I have to stick with these revision for a little while since we are going
through a Project Management Stage gate, impacting update decisions.
--------------------------
Warron French
Attachments:
- DOCS-02-ConfigureCentralizedAUDIT-loggingwithaudispatch.docx (application/vnd.openxmlformats-officedocument.wordprocessingml.document — 27.4 KB)
- attachment.html (text/html — 1.5 KB)
On Monday, April 3, 2017 2:23:21 PM EDT warron.french wrote:
Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th
to be
exact) we collaborated, for my benefit on how to configure audispatch on
"RHEL6" machines.
It seems that my instructions that I kept from 1 year ago are no longer
valid; there are new files in existence and some old ones no longer in
existence for both RHEL6 and RHEL7:
The only change is systemd vs SysVinit initialization, augenrules being
default rule loader, and updating rules for a change in where the default
first user account starts (500 vs 1000). There are no changes in the audispd
area.
*[OLD]*
/etc/audisp/
*audisp-remote.conf,*
/etc/audisp/plugins.d/*au-remote.conf*
*[NEW]*
/etc/audisp/plugins.d/af_unix.conf
/etc/audisp/plugins.d/syslog.conf
These have always been there. Note that all plugins default to off.
Not sure how to find the appropriate man pages to configure this
setup
properly. I am attaching what I wrote 1 year ago; and hope that you can
push me in the direction of a good walk-through for audispatch of the
modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).
I have to stick with these revision for a little while since we are going
through a Project Management Stage gate, impacting update decisions.
I'd highly recommend moving to the 2.6.5 release. This is because the main
feature of 2.6 was to resolve uid/gid during event processing so that reports
run on aggregated logs resolve to the right account.
The area between 0 and 300 are fixed accounts. All systems have the same
account. The area between 300 and 1000 is also for system accounts but are not
standardized. They are allocated randomly by the order of package
installation. (This behavior is controlled by /etc/login.defs.) For example,
the chrony daemon account on my main system is 990. On my latop, its 994. So,
if my laptop sent logs to my main system, ausearch prior to 2.6 would do the
lookup on the server and map account 994 to geoclue. After 2.6, auditd puts
the mapping in the record after a special separator. Ausearch uses this during
interpretation to display the correct account name.
Besides that, there was a remote logging bug fixed on 2.6.1 that was causing
remote logging problems in earlier releases.
-Steve
2819
days inactive
2819
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
tags (0)
participants (2)
-
Steve Grubb -
warron.french