Audit logging

Thu Aug 3 16:44:04 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Steve,

On Thu, 3 Aug 2006 08:47:10 -0700 (PDT)
Steve G <linux_4ever at yahoo.com> wrote:

> 
> >- From PCI standards
> 
> I'm not familiar with this one, where would I find its requirements
> on the internet?
> 
> >10.5 Secure audit trails so they cannot be altered, including the
> >following: 
> >10.5.1 Limit viewing of audit trails to those with a
> >job-related need.
> >10.5.2 Protect audit trail files from unauthorized
> >modifications.
> 
> The above is handled currently by the audit system.
> 
> >10.5.3 Promptly back-up audit trail files to a
> >centralized log server or media that is difficult to alter
> 
> You'll have to modify the cron script to do this.
> 
> >Would it be best to write a custom selinux policy to log all system_r
> >commands / syscalls so someone could not just turn off the auditd.
> 
> No one can turn off auditd unless they are root. Do you have
> untrusted root users?

We do not have untrusted root users, the problem is we are trying to
audit ourselves and do it in a way that we could not easily
circumvent, and if we were to there would be a record. For instance if
i were to disable auditd, there should be a record of such as i do it
on a central log server i do not have access to. 

Currently we use Sudo and log via syslog-ng to a central server,
obviously sudo can be circumvented in many ways such as
"sudo /bin/bash" will do it.

> 
> >Currently we already use Syslog-ng, which hopefully we can
> >incorporate auditd to log to the central syslog servers.
> 
> Generally what you would want to do is update the cron script to
> rename the files with date, time, and machine name. Then scp them to
> a directory on a remote machine. I would not merge the logs with
> syslog since you will lose the ability to use any audit tools.
> 
> >-a entry,always -F uid=0 -F auid=999 -S open -S exit
> >- -a task,always -F uid=0 -F auid=999
> 
> This will log every open of every file for that user. What are you
> really trying to capture? Generally, security targets are concerned
> with modifications of specific files.
> 
> >The problem is, i get tons of syscalls for applications such as sshd
> >and tail
> 
> Yep.
> 
> >Would it be possible to use the "exclude" for auditctl,
> 
> This will exclude one type of message. For example, you can get rid
> of everything
> 
If i wanted to excluded the following

type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2
success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561
auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=user_u:system_r:unconfined_t:s0-s0:c0.c255

- -a exclude,always -F msgtype=SYSCALL
- -a exit.always -F uid=0
- -a entry,always -F uid=0

Is this correct ?

or can i do something
- -a exit,

>  with type=LOGIN. It only looks at that one field and nothing else.
> 
> >but i am unsure of how to not log sshd and tail without using a pid
> >which can obviously change.
> 
> What are you really trying to record?

Trying to record when people access particular files , which i have
been looking at the auditctl -w but the examples do not work in the
documentation 

such as (found in capp.rules)

- -w /var/log/audit/ -k LOG_audit

Thanks in advance

- -- 
Stuart James
System Administrator
DDI - (44) 0 1765 643354

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE0ifWr8LwOCpshrYRApNrAKCLI1t1CIn550Et9Tzs24GgtmEn2gCg+kzK
2o6+kI2VfEoPQ0V6aeG8H8M=
=ZQ+e
-----END PGP SIGNATURE-----