5:03 p.m.
This may be faster and also a better way to summarize and share with others.
I will list the AUDIT(test#letter) and then below it place *Method of
implementation:* and if the field is marked in green, it is validated by
someone
from linux-audit(a)redhat.com (Steve Grubb for example) and the text provided
will answer the question for other sysadmins with similar requirements (on
a per test#letter basis).
I am presenting what I need to know how to audit, in hopes to illicit a
response of "BUILTIN" or a link or some text that clarifies what to do:
*AUDIT(A): Logons/Logoffs (success/failure)*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(B): User {additions, deletions, modifications, suspensions and
lockings}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(C): Group and Role {additions, deletions and modifications}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDITD(D): Security or Audit Policies*
Method of implementation:
*AUDIT(E): Configuration Changes* (please be patient with me, as I believe
this is way too broad a definition from my security people; however, there
is a field from aureport called "*Number of changes in configuration:*" too.
Method of implementation:
can this be done by; *-w /etc/ -p raw -k config_changes* even
this seems too broad a solution and I don't believe it will capture the
essence of
*AUDIT(E).*
*AUDIT(F): Admin/Root-level accesses*
Method of implementation:
can this be done by; *-w /bin/su -p x -k running_as_root -w /bin/sudo
-p x -k running_as_root -w /sbin/runuser -p x -k running_as_root*
*AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs from
AUDIT(F) from my management/security people)
Method of implementation:
*AUDIT(H): System reboot/shutdown/change run-state*Method of implementation:
can this be done by; *-w /sbin/init -p x -k run_state -w
/sbin/telinit -p x -k run_state*
*-w /sbin/shutdown -p x -k run_state -w /sbin/reboot -p x -k run_state
etc.. etc.. etc..*
*AUDIT(I): Application Initialization* (seems way to vague to me, don't
you all agree?)
Method of implementation:
*AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like
DvDs/CD), etc..
*)*Method of implementation:
can this be done by -a .... -F arch=b64 -S mount -S umount2 -F auid>=1000
-F auid!=4294967295 -k mount_datawrite_operations? No, what do I use?
*AUDIT(K): Print to a device or file*Method of implementation:
*AUDIT(L): Audit data and log data access *(nevremind, this would kill a
system - correct, unless I limit monitoring to audit.log.*)
Method of implementation:
*AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch 1
or more than 1 individual doing something devious as a team in conjunction
with *AUDIT(J)*?)
Method of implementation:
Thank you for your vast patience and cooperation.
--------------------------
Warron French
10:41 a.m.
I hope that someone can help me with accomplishing this list of AUDIT goals.
--------------------------
Warron French
On Fri, Jul 14, 2017 at 6:03 PM, warron.french <warron.french(a)gmail.com>
wrote:
This may be faster and also a better way to summarize and share with
others.
I will list the AUDIT(test#letter) and then below it place *Method of
implementation:* and if the field is marked in green, it is validated by
someone
from linux-audit(a)redhat.com (Steve Grubb for example) and the text
provided will answer the question for other sysadmins with similar
requirements (on a per test#letter basis).
I am presenting what I need to know how to audit, in hopes to illicit a
response of "BUILTIN" or a link or some text that clarifies what to do:
*AUDIT(A): Logons/Logoffs (success/failure)*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(B): User {additions, deletions, modifications, suspensions and
lockings}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDIT(C): Group and Role {additions, deletions and modifications}*
Method of implementation: Builtin to AUDITD (enable auditd)
*AUDITD(D): Security or Audit Policies*
Method of implementation:
*AUDIT(E): Configuration Changes* (please be patient with me, as I
believe this is way too broad a definition from my security people;
however, there is a field from aureport called "*Number of changes in
configuration:*" too.
Method of implementation:
can this be done by; *-w /etc/ -p raw -k config_changes* even
this seems too broad a solution and I don't believe it will capture the
essence of
*AUDIT(E).*
*AUDIT(F): Admin/Root-level accesses*
Method of implementation:
can this be done by; *-w /bin/su -p x -k running_as_root -w
/bin/sudo -p x -k running_as_root -w /sbin/runuser -p x -k
running_as_root*
*AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs
from AUDIT(F) from my management/security people)
Method of implementation:
*AUDIT(H): System reboot/shutdown/change run-state*Method of
implementation:
can this be done by; *-w /sbin/init -p x -k run_state -w
/sbin/telinit -p x -k run_state*
*-w /sbin/shutdown -p x -k run_state -w /sbin/reboot -p x -k run_state
etc.. etc.. etc..*
*AUDIT(I): Application Initialization* (seems way to vague to me, don't
you all agree?)
Method of implementation:
*AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like
DvDs/CD), etc..
*)*Method of implementation:
can this be done by -a .... -F arch=b64 -S mount -S umount2 -F auid>=1000
-F auid!=4294967295 -k mount_datawrite_operations? No, what do I use?
*AUDIT(K): Print to a device or file*Method of implementation:
*AUDIT(L): Audit data and log data access *(nevremind, this would kill a
system - correct, unless I limit monitoring to audit.log.*)
Method of implementation:
*AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch
1 or more than 1 individual doing something devious as a team in
conjunction with *AUDIT(J)*?)
Method of implementation:
Thank you for your vast patience and cooperation.
--------------------------
Warron French
2673
days inactive
2676
days old
linux-audit@lists.linux-audit.osci.io
1 comments
1 participants
participants (1)
-
warron.french