RHEL6 and RHEL7 audispatch configurations

Steve Grubb sgrubb at redhat.com
Mon Apr 3 22:34:20 UTC 2017 

On Monday, April 3, 2017 2:23:21 PM EDT warron.french wrote:
> Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
> exact) we collaborated, for my benefit on how to configure audispatch on
> "RHEL6" machines.
> 
> It seems that my instructions that I kept from 1 year ago are no longer
> valid; there are new files in existence and some old ones no longer in
> existence for both RHEL6 and RHEL7:

The only change is systemd vs SysVinit initialization, augenrules being 
default rule loader, and updating rules for a change in where the default 
first user account starts (500 vs 1000). There are no changes in the audispd 
area.

> *[OLD]*
> /etc/audisp/
> *audisp-remote.conf,*
> /etc/audisp/plugins.d/*au-remote.conf*
> 
> *[NEW]*
> /etc/audisp/plugins.d/af_unix.conf
> /etc/audisp/plugins.d/syslog.conf

These have always been there. Note that all plugins default to off.

> Not sure how to find the appropriate man pages to configure this setup
> properly.  I am attaching what I wrote 1 year ago; and hope that you can
> push me in the direction of a good walk-through for audispatch of the
> modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).
> 
> I have to stick with these revision for a little while since we are going
> through a Project Management Stage gate, impacting update decisions.

I'd highly recommend moving to the 2.6.5 release. This is because the main 
feature of 2.6 was to resolve uid/gid during event processing so that reports 
run on aggregated logs resolve to the right account. 

The area between 0 and 300 are fixed accounts. All systems have the same 
account. The area between 300 and 1000 is also for system accounts but are not 
standardized.  They are allocated randomly by the order of package 
installation. (This behavior is controlled by /etc/login.defs.) For example, 
the chrony daemon account on my main system is 990. On my latop, its 994. So, 
if my laptop sent logs to my main system, ausearch prior to 2.6 would do the 
lookup on the server and map account 994 to geoclue. After 2.6, auditd puts 
the mapping in the record after a special separator. Ausearch uses this during 
interpretation to display the correct account name.

Besides that, there was a remote logging bug fixed on 2.6.1 that was causing 
remote logging problems in earlier releases.

-Steve

More information about the Linux-audit mailing list