audit review question

[Warron S French]

Steve, thanks for your replies to all of my questions.

Can you please send me a walk through document for trying to send the 6 workstations and 1 servers audit-data into the same directory structure?  Something that will definitely work, please?

I have a VM environment that I can make changes on and then test, so I would be very grateful for any cooperation I could get.

My intent is to have all the machines log data to the same machine.  I want the system security auditors to be able to use the typical aureport and ausearch commands (that I know you write).

So, I have to ask, can this be done, and the audit logs be parsed on a per hostname-basis?
Can they be stored in directories that are /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that inadvisable considering the intention to continue to support/use the two commands: aureport and ausearch?   What would you advise - please?

I am aware of the /etc/audisp directory, which I am sure is associated with the audispd daemon, but I don't have the foggiest clue of how to configure them together.

It is only because of stumbling around for the last 2 years (and very feverishly the last 2 days) that I have learned how to use the auditctl and aureport commands.  I want to do this correctly, and I want to do it consistently with "industry standards" so that I can continue to get support from people like the folks in this 'forum.'


Thanks, for any advice and useful links you can share.  I am certain that as you provide them and I read them it will force me to ask even more questions.  I hope you don't mind.

Warron French, MBA, SCSA

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Thursday, April 28, 2016 11:10 AM
To: linux-audit at redhat.com
Cc: Warron S French <warron.s.french at aero.org>
Subject: Re: audit review question

On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> I have a scenario that I need a little help understanding how to work 
> through in an isolated environment of 1 server and 6 workstations (7 
> machines). The 7 machines are all running CentOS-6.7 and selinux = 
> disabled.
>
> All 6 workstations are configured through rsyslog.conf to send audit 
> data to the server, and I have (but apparently not successfully 
> configured general system messages to also report back to the same 
> server). I am using the conventional filesystems for each, but the 
> directory structure below is different.

Rsyslog will likely mangle the audit lines such that its no longer in the native audit format. I don't know if its headers can be stripped as it writes to disk.


> For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log    the
> directory per day and per month and per year are auto created 
> (miraculously). For system messages, and I know this isn't the forum 
> to get help on this so I will only list the directory is - 
> /var/log/2016/04/27/wk{1..6}_syslog.log.
> 
> Now that I am doing this, and successfully, I want to test that the 
> security auditors will be able to do their job properly, as well as I 
> am trying to comply with some security constraint that requires me to 
> centralize the logdata into a single server (hence the major driver for all of this).
> 
> I know that there is the aureport and ausearch command, but I am not 
> sure that I am able to figure out the correct command-line structure 
> to test that audit-data is getting into the appropriate file, on each 
> day of the year, on a per serverName basis.
> 
> If a real-world situation occurred that the Security Auditors were 
> asking to find out how many machines did userX attempt to log into, 
> what would be the appropriate command for the example audit directory 
> I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because 
> I am not sure I am running the command with the appropriate switches 
> to scan the files properly?
> 
> I used:
> 
> *         aureport -if /var/log/audit/2016/04/27/ and it didn't like the
> input,

Probably due to the header it inserts to each record. But this is how you should do it.


> *         aureport -if /var/log/audit/2016/04/27/* and it didn't like the
> input, am I using the command improperly?

You shouldn't need the '*'. If the passed option is a dir, then it 
automatically looks for more files. But note that the native rotation is 
audit.log     <- newest
audit.log.1
audit.log.2
audit.log.3  <- oldest

rsyslog would also have to use this scheme. I have never investigated if it 
does. That does not means that a wrapper script couldn't be made to walk the 
files in rsyslog's order and send them to aureport via stdin. You could 
probably even add a sed command to strip the rsyslog headers from each record.

Not the best answer, but once it hits rsyslog, it can change the record in 
ways that unknown to me.

-Steve