Audit logging

David O'Brien daobrien at redhat.com
Fri Aug 4 00:07:43 UTC 2006


top post...

Stuart,
I'm following this thread with interest, as I'm in the process of updating the 
RHEL5 documentation for Security and SELinux and I'm looking especially for 
Use Cases/real world scenarios (rather than fabricated implementations). I'm 
especially interested in getting community input for this.

If I'm reading this correctly, this could be a "Using SELinux to perform 
self-auditing" (or whatever) topic, including why you would do that, why 
SELinux is a good way to do it, and then *how* to do it exactly, with 
expected results, possible variations, and some troubleshooting, perhaps. 
Also some material on how/what *not* to do.

How do you feel about getting involved in this? I'm a writer, not an SELinux 
expert, so I'm relying on input from others for the techie bits.

Further, if you're aware of documentation that's wrong or hard to follow, let 
me know or file a bug (https://bugzilla.redhat.com/bugzilla/index.cgi).

cheers
David

On Friday 04 August 2006 02:44, Stuart James wrote:
> Hi Steve,
>
> On Thu, 3 Aug 2006 08:47:10 -0700 (PDT)
>
> Steve G <linux_4ever at yahoo.com> wrote:
> > >- From PCI standards
> >
> > I'm not familiar with this one, where would I find its requirements
> > on the internet?
> >
> > >10.5 Secure audit trails so they cannot be altered, including the
> > >following:
> > >10.5.1 Limit viewing of audit trails to those with a
> > >job-related need.
> > >10.5.2 Protect audit trail files from unauthorized
> > >modifications.
> >
> > The above is handled currently by the audit system.
> >
> > >10.5.3 Promptly back-up audit trail files to a
> > >centralized log server or media that is difficult to alter
> >
> > You'll have to modify the cron script to do this.
> >
> > >Would it be best to write a custom selinux policy to log all system_r
> > >commands / syscalls so someone could not just turn off the auditd.
> >
> > No one can turn off auditd unless they are root. Do you have
> > untrusted root users?
>
> We do not have untrusted root users, the problem is we are trying to
> audit ourselves and do it in a way that we could not easily
> circumvent, and if we were to there would be a record. For instance if
> i were to disable auditd, there should be a record of such as i do it
> on a central log server i do not have access to.
>
> Currently we use Sudo and log via syslog-ng to a central server,
> obviously sudo can be circumvented in many ways such as
> "sudo /bin/bash" will do it.
>
> > >Currently we already use Syslog-ng, which hopefully we can
> > >incorporate auditd to log to the central syslog servers.
> >
> > Generally what you would want to do is update the cron script to
> > rename the files with date, time, and machine name. Then scp them to
> > a directory on a remote machine. I would not merge the logs with
> > syslog since you will lose the ability to use any audit tools.
> >
> > >-a entry,always -F uid=0 -F auid=999 -S open -S exit
> > >- -a task,always -F uid=0 -F auid=999
> >
> > This will log every open of every file for that user. What are you
> > really trying to capture? Generally, security targets are concerned
> > with modifications of specific files.
> >
> > >The problem is, i get tons of syscalls for applications such as sshd
> > >and tail
> >
> > Yep.
> >
> > >Would it be possible to use the "exclude" for auditctl,
> >
> > This will exclude one type of message. For example, you can get rid
> > of everything
>
> If i wanted to excluded the following
>
> type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2
> success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561
> auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
>
>
> -a exclude,always -F msgtype=SYSCALL
> -a exit.always -F uid=0
> -a entry,always -F uid=0
>
> Is this correct ?
>
> or can i do something
> -a exit,
>
> >  with type=LOGIN. It only looks at that one field and nothing else.
> >
> > >but i am unsure of how to not log sshd and tail without using a pid
> > >which can obviously change.
> >
> > What are you really trying to record?
>
> Trying to record when people access particular files , which i have
> been looking at the auditctl -w but the examples do not work in the
> documentation
>
> such as (found in capp.rules)
>
> -w /var/log/audit/ -k LOG_audit
>
>
> Thanks in advance
>
>
> --
> Stuart James
> System Administrator
> DDI - (44) 0 1765 643354

-- 
David O'Brien
Red Hat Asia Pacific Pty Ltd

Tel:  +61-7-3514-8189
Fax: +61-7-3514-8199

email: daobrien at redhat.com
web: http://apac.redhat.com/
IRC: daobrien #docs #selinux #devel #doc-i18n




More information about the fedora-selinux-list mailing list