audisp-prelude problems

Steve Grubb sgrubb at redhat.com
Wed Dec 3 13:46:41 UTC 2008 

On Wednesday 03 December 2008 05:23:28 Loredan Stancu wrote:
> I'm testing version 1.7.9 of audit using audisp-prelude plugin and I have
> some problems:

Might also be helpful to know which distribution and release, IOW Fedora 10?


> 1. audisp-prelude plugin is not generating events when a user is logged in.

Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
Without that, you won't see anything.


> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager

For which event? The loginuid is mostly what I concentrated on since that 
tells you how they got into the machine.


> 3. No events are generate for watched files/exec/mk_exe  if no tow -k
> options are specified in the rule. One of the -k options should contain
> '-k ids-type-severity' and another -k may contain anything. If you specify
> only one -k options no events are generated.

You need 2 rules to cover this:

auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F filetype=file 
  -k ids-mkexe-hi
auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111' 
  -F filetype=file -k ids-mkexe-hi

It works fine on my system. Also note that it depends on having a recent 
kernel.


> Another question is how I can use audisp-remote to send events somewhere
> remote?

Assuming you are using Fedora, to set this up on client machines, you will 
need to install the audispd-plugins package. Then you need to set the 
remote_server and port in the /etc/audisp/audisp-remote.conf file. 

The server that aggregates the logs does not need the plugins package 
installed. It should have the tcp_listen_port set to the same port as the 
clients in the  /etc/audit/auditd.conf file. Then semanage needs to have the 
same port in its database since the audit daemon is protected by SE Linux. 
Assuming that you wanted the audit daemon listening on port 1000, you would 
run:

semanage port -a -t audit_port_t -p tcp 1000.

The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to 
allow the machines or subnets that the daemon should allow connections from.

-Steve

More information about the Linux-audit mailing list