audit-tools and SUDO

Warron S French warron.s.french at aero.org
Tue May 10 13:44:50 UTC 2016 

Replies are in-line with responses.

Warron French, MBA, SCSA


-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Tuesday, May 10, 2016 9:25 AM
To: linux-audit at redhat.com; burn at swtf.dyndns.org
Cc: Warron S French <warron.s.french at aero.org>
Subject: Re: audit-tools and SUDO

On Tuesday, May 10, 2016 10:52:21 PM Burn Alting wrote:
> On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote:
> > Good morning everyone,
> > 
> > 
> > 
> > I am working on an environment where I have managed to get 
> > centralized audit logging to work – roughly 95% properly on six (6) 
> > CentOS-6.7 workstations and a single (1) CentOS-6.7 server.
> > 
> > 
> > 
> > I have two problems though; and they seem somewhat minor:
> > 
> > 
> > 
> > 1.      The audit events being captured don’t seem to be tied to any
> > given node (so that I can perform ausearch --node hostName, or 
> > aureport), that’s the first issue.
> 
> What have you set the configuration parameter 'name_format'
> in /etc/audit/auditd.conf to?
> 
> One assumes you may want to set
> name_format = fqd
> or
> name_format = hostname
> 
> After the change on each host, don't forget to reload the 
> configuration with either a sighup on the auditd process or just restart the service.

On the lab-clients ends:
In, and ONLY IN, my /etc/audisp/audispd.conf file have I set name_format=hostname, where hostname is a literal string of 'hostname' not THE hostname; there is no name_format reference in any other file on my lab-client machines under the directory /etc/audisp/ anywhere.  Also on my lab-client machines in the /etc/audit/auditd.conf file the name_format variable is set to NONE.  

On the lab-server end:
In the only file that I modified, /etc/audit/auditd.conf, the only variables that I altered were:
tcp_listen_port   = 60
tcp_client_ports = 60
use_libwrap         = no  (because I am using iptables)

The lab works as expected, but my production environment does not.  %-/




This would set it for the local logs. And you would need to do this on the server that is aggregating the logs. (I think I forgot to mention that last
week.) But for the workstations, you have to set name_format in audispd.conf.


> > 2.      The second issue is that I need to configure sudo to enable my
> > Special Security Team with the ability to perform their duties using 
> > the aureport and the ausearch commands, but I get an error that 
> > appears to be based on permissions.
> 
> I recommend you show the command and resultant error in situations 
> like this. That way we can provide a more informed response.

One approach some people take is to use the log_group setting in auditd.conf. 
If there is a group that the security people belong to that others don't, then using that group name for log_group this is the easiest way and exactly why this option exists.

-Steve

Thanks for this Steve, I am going to engage the Special Security Team, because I have thought of another approach - making the auditors group become a local (/etc/group) file entry instead of using 389-ds to manage this association; that way it will always be reliable.



> > I am hoping that you guys can steer me in the correct direction; and 
> > I can update my documentation to be even a little more thorough.
> > 
> > Scenario2, might be more of a membership issue now that I think 
> > about it; so please disregard as I think this is some weird 389-ds issue.
> > 
> > I am hoping though that someone can suggest a reason why, when I 
> > look directly at the content of the /var/log/audit/audit.log I am 
> > not see any references to node=hostname1, hostname2 .. hostnameN?  
> > Maybe I did misconfigure something, but I followed my own instructions to the “T”
> > and they didn’t produce this issue.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Thank you in advance for your precious time sincerely,
> > 
> > 
> > 
> > Warron French, MBA, SCSA
> > 
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list