audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 12:58:24 you wrote:
> Another question: Can auditd generate events when a user is logging in
> using ssh? That implies ssh use pam?

There are 2 sets of events being sent, auth/acct/session open/close are from 
pam. But cron sends the same events. So, sshd itself sends another event 
USER_LOGIN that is to signify that the pam events are associated with a login 
and what the final result were.


> I ask this because I want use audit in a production server and I'm not
> allowed to manually install packages. I am allowed to only use emerge to
> install packages. At this moment I do not have a USE flag(gentoo specific)
> corresponding to --with-linux-audit.

I guess Gentoo is unpatched. Things will not work right without that last 
patch. All analysis software is predicated on seeing that event.


> @Steve :) : Can you help me please with audisp-remote? I'll explain again
> what I want to do:
> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
> M3 is a centralized machine events. On M1 and M2 runs auditd and
> audisp-remote.
> audisp-remote sends events to M3. I know how to configure auditd and
> audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
> that it can receive events from M1 and M2 and store this events in regular
> file.

You only have to set its tcp_listen_port to the same one that M1 & M2 are 
trying to connect on, update tcp_wrappers hosts.allow file to allow M1 & M2 to 
connect, then if you have selinux, you need to tell it what port you are 
using, and you also need to punch a hole in your firewall for that port.


> > And you are able to load and list the 2 rules I sent above? Can you find
> > the results with ausearch --start today -k mkexe -m SYSCALL ? 
>
> Yes, I could load that rules and this is what si loaded when a file gets
> eecution rights:

This looks fine. It should be working for you, then.

-Steve