RHEL6 and RHEL7 audispatch configurations
Steve Grubb
sgrubb at redhat.com
Mon Apr 3 22:34:20 UTC 2017
On Monday, April 3, 2017 2:23:21 PM EDT warron.french wrote:
> Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
> exact) we collaborated, for my benefit on how to configure audispatch on
> "RHEL6" machines.
>
> It seems that my instructions that I kept from 1 year ago are no longer
> valid; there are new files in existence and some old ones no longer in
> existence for both RHEL6 and RHEL7:
The only change is systemd vs SysVinit initialization, augenrules being
default rule loader, and updating rules for a change in where the default
first user account starts (500 vs 1000). There are no changes in the audispd
area.
> *[OLD]*
> /etc/audisp/
> *audisp-remote.conf,*
> /etc/audisp/plugins.d/*au-remote.conf*
>
> *[NEW]*
> /etc/audisp/plugins.d/af_unix.conf
> /etc/audisp/plugins.d/syslog.conf
These have always been there. Note that all plugins default to off.
> Not sure how to find the appropriate man pages to configure this setup
> properly. I am attaching what I wrote 1 year ago; and hope that you can
> push me in the direction of a good walk-through for audispatch of the
> modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).
>
> I have to stick with these revision for a little while since we are going
> through a Project Management Stage gate, impacting update decisions.
I'd highly recommend moving to the 2.6.5 release. This is because the main
feature of 2.6 was to resolve uid/gid during event processing so that reports
run on aggregated logs resolve to the right account.
The area between 0 and 300 are fixed accounts. All systems have the same
account. The area between 300 and 1000 is also for system accounts but are not
standardized. They are allocated randomly by the order of package
installation. (This behavior is controlled by /etc/login.defs.) For example,
the chrony daemon account on my main system is 990. On my latop, its 994. So,
if my laptop sent logs to my main system, ausearch prior to 2.6 would do the
lookup on the server and map account 994 to geoclue. After 2.6, auditd puts
the mapping in the record after a special separator. Ausearch uses this during
interpretation to display the correct account name.
Besides that, there was a remote logging bug fixed on 2.6.1 that was causing
remote logging problems in earlier releases.
-Steve
More information about the Linux-audit
mailing list