audit review question
Warron S French
warron.s.french at aero.org
Thu Apr 28 15:50:33 UTC 2016
Steve, thanks for your replies to all of my questions.
Can you please send me a walk through document for trying to send the 6 workstations and 1 servers audit-data into the same directory structure? Something that will definitely work, please?
I have a VM environment that I can make changes on and then test, so I would be very grateful for any cooperation I could get.
My intent is to have all the machines log data to the same machine. I want the system security auditors to be able to use the typical aureport and ausearch commands (that I know you write).
So, I have to ask, can this be done, and the audit logs be parsed on a per hostname-basis?
Can they be stored in directories that are /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that inadvisable considering the intention to continue to support/use the two commands: aureport and ausearch? What would you advise - please?
I am aware of the /etc/audisp directory, which I am sure is associated with the audispd daemon, but I don't have the foggiest clue of how to configure them together.
It is only because of stumbling around for the last 2 years (and very feverishly the last 2 days) that I have learned how to use the auditctl and aureport commands. I want to do this correctly, and I want to do it consistently with "industry standards" so that I can continue to get support from people like the folks in this 'forum.'
Thanks, for any advice and useful links you can share. I am certain that as you provide them and I read them it will force me to ask even more questions. I hope you don't mind.
Warron French, MBA, SCSA
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Thursday, April 28, 2016 11:10 AM
To: linux-audit at redhat.com
Cc: Warron S French <warron.s.french at aero.org>
Subject: Re: audit review question
On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> I have a scenario that I need a little help understanding how to work
> through in an isolated environment of 1 server and 6 workstations (7
> machines). The 7 machines are all running CentOS-6.7 and selinux =
> disabled.
>
> All 6 workstations are configured through rsyslog.conf to send audit
> data to the server, and I have (but apparently not successfully
> configured general system messages to also report back to the same
> server). I am using the conventional filesystems for each, but the
> directory structure below is different.
Rsyslog will likely mangle the audit lines such that its no longer in the native audit format. I don't know if its headers can be stripped as it writes to disk.
> For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the
> directory per day and per month and per year are auto created
> (miraculously). For system messages, and I know this isn't the forum
> to get help on this so I will only list the directory is -
> /var/log/2016/04/27/wk{1..6}_syslog.log.
>
> Now that I am doing this, and successfully, I want to test that the
> security auditors will be able to do their job properly, as well as I
> am trying to comply with some security constraint that requires me to
> centralize the logdata into a single server (hence the major driver for all of this).
>
> I know that there is the aureport and ausearch command, but I am not
> sure that I am able to figure out the correct command-line structure
> to test that audit-data is getting into the appropriate file, on each
> day of the year, on a per serverName basis.
>
> If a real-world situation occurred that the Security Auditors were
> asking to find out how many machines did userX attempt to log into,
> what would be the appropriate command for the example audit directory
> I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because
> I am not sure I am running the command with the appropriate switches
> to scan the files properly?
>
> I used:
>
> * aureport -if /var/log/audit/2016/04/27/ and it didn't like the
> input,
Probably due to the header it inserts to each record. But this is how you should do it.
> * aureport -if /var/log/audit/2016/04/27/* and it didn't like the
> input, am I using the command improperly?
You shouldn't need the '*'. If the passed option is a dir, then it
automatically looks for more files. But note that the native rotation is
audit.log <- newest
audit.log.1
audit.log.2
audit.log.3 <- oldest
rsyslog would also have to use this scheme. I have never investigated if it
does. That does not means that a wrapper script couldn't be made to walk the
files in rsyslog's order and send them to aureport via stdin. You could
probably even add a sed command to strip the rsyslog headers from each record.
Not the best answer, but once it hits rsyslog, it can change the record in
ways that unknown to me.
-Steve
More information about the Linux-audit
mailing list