[Fwd: Re: Latest Audit on RHEL 5.2]

LC Bruzenak lenny at magitekltd.com
Wed Nov 12 17:14:50 UTC 2008 

On Wed, 2008-11-12 at 11:16 -0500, Dan Gruhn wrote:
> Greetings,
> 
> I have some systems with RHEL 5.2 (a server and three workstations)
> that I'd like to put the latest audit software on to put me on the
> path of getting NISPOM approval. My plan is to get to the point that I
> will have prelude running with information display via Prewikka.
> 
> 1) I have read the HowTo at
> http://people.redhat.com/sgrubb/audit/prelude.txt but it seems rather
> old as it talks about audit 1.6.6 to 1.6.7 upgrading and updates to
> come after things have been checked out.  Does anyone have any updates
> to this procedure that will be helpful?

I have used this procedure for 1.7.7 and soon 1.7.9.
I believe it is up to date. 

I assume you want to point all machines to just one which will display
the prewikka info? If that is the case you will need to register the
audit senders to the single prelude-manager which isn't detailed exactly
on those instructions (last I looked).

However, it is easy. Just follow the instructions for single server and
then register the non-prewikka machines to the main collector.

I register the audit prelude sensor with the prelude-manager on each
host. Then I register the prelude-manager to the prelude-manager on the
Prelude Collector/Server (set the "parent-managers" option
in /etc/prelude-manager/prelude-manager.conf.

Here are some example instructions for the above.
Edit /etc/prelude-manager/prelude-manager.conf 
      * Locate and uncomment the [relaying] section
      * Add parent-managers = <prelude server IP>

Register the prelude-manager with the Prelude Server's prelude-manager :
      * Run prelude-admin register prelude-manager "idmef:w" <prelude
        server IP> --uid 0 --gid 0
      * Open a second terminal window and ssh <prelude server IP>
      * On the Prelude Server, run: prelude-admin registration-server
        prelude-manager
      * The Prelude Server will generate a one time password. You will
        need to copy and paste the password to the first window when it
        prompts for the password.
      * Confirm the password
      * Acknowledge the registration in the Prelude Server terminal
        window.


LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

More information about the Linux-audit mailing list