[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: buffer space



Attached are is the audit.rules file from SECSCN 4.3.  There is a v4.4 now available but I don't have it handy.  Also attached are two docs which explain SECSCN's auditd configuration expectations. 

-Mike

On Mon, Aug 17, 2009 at 11:34 AM, Norman Mark St. Laurent <mstlaurent conceras com> wrote:
Hi David,

I too would like to know what version of SECSCAN you are using for the "required watches".  I run the STIGS, SECSCAN, and a myriad of vulnerability analysis tools (outside looking in -->  inside looking around) on systems that I ISSE and provision.  I do not recall "required watches" that need to be set with this tool, but I maybe off a version and I may need to visit another sight to pick up the latest and greatest....

I know SECSCAN would like the System to be configured to HALT on audit failure using the disk_ful_action_setting in /etc/audit/auditd.conf.  It would also like the system to be configured to halt on audit disk error as well as the audit data to be synchronously flushed to disk to avoid data loss.  To do this (respectfully) I have set in my KickStarts and Satellite:

perl -npe 's/disk_full_action = SUSPEND/disk_full_action = HALT/' -i /etc/audit/auditd.conf
perl -npe 's/disk_error_action = SUSPEND/disk_error_action = HALT/' -i /etc/audit/auditd.conf
perl -npe 's/flush = INCREMENTAL/flush = SYNC/' -i /etc/audit/auditd.conf

Currently I set the /var/log/audit logs to rotate daily for 90 days...  in /etc/logrotate.d/audit  and the capp.rules ; nispom.rules in /usr/share/doc/audit* all work great and provide nice examples to comply with Security Policy.

Because of the logrotation and the way aureport works, I have written a wrapper script to be able to search and report all the log files.  Something of this type would help the Security Officers look threw the log files.  The script also keeps a pristine copy of the log files for investigation with digital sigs to watch the tampering  (as well as aide) for investigation if need be --> this keeps processing the files (MAC Times) and a pristine copy separated.

I am very interested in finding our more about these set watches that are required in SECSCAN.

Best regards,


Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE



David Flatley wrote:

Thanks Steve!
If I were to move all the rotated logs to another directory, say /home/logs. So instead of doing "ausearch -i" to capture all the information in the rotated logs in
/var/log/audit directory. I would do "ausearch -i -f /home/logs" , correct?

Backlog is set to 12288 right now.

The SECSCAN requires many -w (watches) and a fair amount of syscalls. I modified the syscalls to add your recommendation for using "arch=b32" and "arch=b64".
Because I was getting errors restarting the auditd on some of their recommendations one of which was mount?

Another setting I believe was doing me in was the log size is 20 megs and I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action was suspend.
So this could have been tripping me up also.

I would like to be able to do the audit log extractions (ausearch and aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a script in max_log_file_action.
So if I set the max_log_file to 160, I can then run a script to move the rotated logs and process them, thus not stopping auditd and keeping things working? I would set the
max rotated logs to 10 to allow the new rotated log space then move the logs as you suggest.

Thanks.

David Flatley CISSP




Inactive hide details for Steve Grubb ---08/13/2009 02:29:34 PM---On Thursday 13 August 2009 10:56:50 am David Flatley wrote: > Steve Grubb ---08/13/2009 02:29:34 PM---On Thursday 13 August 2009 10:56:50 am David Flatley wrote: > Red Hat 5.3 running audit 1.7.7-6


From:  
Steve Grubb <sgrubb redhat com>

To:    
linux-audit redhat com

Cc:    
David Flatley/Burlington/IBM IBMUS

Date:  
08/13/2009 02:29 PM

Subject:        
Re: buffer space




On Thursday 13 August 2009 10:56:50 am David Flatley wrote:
>   Red Hat 5.3 running audit 1.7.7-6
> Rotating logs at 20 megs and allowing 8 logs
> Rules have watches and syscalls from the SECSCAN recommendations, and have
> added some of Steve Grubb's recommendations.

I would be curious what the SECSCAN recommendations are. Never heard of it...


> When we extract and archive the audit logs we get "Error receiving audit
> netlink packet (No buffer space available) an "error sending signal info
> request"
> Our extract is: stop auditd then create a file and run ausearch -i > file
> then run an aureport -i > file then once that is done we delete all the
> logs and restart auditd.

I think this is your problem. If you have audit rules loaded and stop auditd,
then audit events are going to pile up in the queue waiting for auditd to
download them. At some point the kernel will decide auditd doesn't exist and
will dump all events to syslog. This probably is not what you want either.

I would recommend calling "service auditd rotate" and then grab logs
audit.log.1 -> audit.logs.7 and move them away to another directory for post  processing the contents.

You may also want to check you backlog size settings too.


> If I run this manually it works fine but if I have it running it in a cron
> we get Kernel panics, lockups and log data loss plus the buffer messages.

Shouldn't really make a difference.

-Steve


------------------------------------------------------------------------

Title: Audit1

Protection Level 2

DCID 6/3 Requirements -

4.B.2.a A system operating at Protection Level 2 shall employ the following features:

4.B.2.a(4) [Audit1] Auditing procedures, including:

4.B.2.a(4)(a) Providing the capability to ensure that all audit records include enough information to allow the ISSO to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved.

4.B.2.a(4)(b) Protecting the contents of audit trails against unauthorized access, modification, or deletion.

4.B.2.a(4)(c) Maintaining collected audit data at least 5 years and reviewing at least weekly.

4.B.2.a(4)(d) The systems creating and maintaining an audit trail that includes selected records of:

4.B.2.a(4)(d)(1) Successful and unsuccessful logons and logoffs.

4.B.2.a(4)(d)(2) Accesses to security-relevant objects and directories, including opens, closes, modifications, and deletions.

4.B.2.a(4)(d)(3) Activities at the system console (either physical or logical consoles), and other system-level accesses by privileged users.


JDCSISSS 7.5.3.1 (U) (1 January 2006 Revision 4) Automated Audit Trail Information Requirements

ISs approved for classified processing should contain, at a minimum, the following audit trail records:

No. Auditable Events Protection Level Success Failure Red Hat Linux syscall Audit Flag(s)
1 Logons 1-5 X X Audit Default
2 Logoffs 1-5   X Audit Default
3 Security relevant directories, objects, and incidents (DAC) 1-5 X X open, creat
4 System Console activities 1-5   X chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, creat, open, truncate, truncate64, ftruncate, ftruncate64, ulink, rename, link, symlink, mknod, mount, umount, umount2, clone, fork, vfork, umask, adjtimex, settimeofday
5 Use of Privileged/Special Rights 1-5   X chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, creat, open, truncate, truncate64, ftruncate, ftruncate64, ulink, rename, link, symlink, mknod, mount, umount, umount2
6 Root Level Access 1-5 X X chown, chown32, fchown, fchown32, lchown, lchown32, adjtimex, settimeofday
7 Uploads from local devices 1-5 X X mount, umount, umount2
8 Writes/Downloads to local devices(A drives, Jazz drives, Printers) 1-5 X   mount, umount, umount2
9 System Restarts/Shutdowns 1-5 X X reboot
10 Change of users formal access permissions 3-5 X X N/A
11 Information downgrades and overrides 4-5 X X N/A
12 Attempted access to objects or data whose labels are inconsistent with user privileges 4-5   X N/A
13 Changes to security labels 4-5 X X chmod, fchmod, chown, chown32, fchown, fchown32, lchown, lchown32, umask
Close

Attachment: AUDIT.RULES
Description: Binary data

Title: Audit Rules Descriptions

Red Hat Syscall Auditing Descriptions


Syscall Name Rule Description Audit Implication Recommendation for Tactical System
chmod
fchmod
-a entry,always -S chmod -S fchmod chmod changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make or an octal number representing the bit pattern for the new permission monitors changes to file permissions Audit all
chown
chown32
fchown
fchown32
lchown
lchonw32
-a entry,always -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 chown changes the user and/or group ownership of each given file monitors changes to file ownership
Note: Enable *32 rules only if you are running on i386 or s390. Do not use for x86_64, ia64, ppc, ppc64, or s390x.
Audit all
creat
open
-a entry,always -S creat -S open opens and possible creates files or devices monitors all file accesses occurring on a system
WARNING: Implementing this rule will cause large amounts of audit data to be produced. Ensure the audit partition and log retention facilities are capable of handling large amounts of audit data before implementing this rule.
Audit failures only
truncate
truncate64
ftruncate
ftruncate64
-a entry,always -S truncate -S truncate64 -S ftruncate -S ftruncate64 truncates a file to a specified length monitors file content modification
Note: Enable *64 rules if you are running on i386, ppc, ppc64 or s390. Do not use for x86_64, ia64, or s390x.
Audit all
unlink
link
symlink
rename
-a entry,always -S unlink -S link -S symlink -s rename used to move, link or delete files monitors file moving, removing, and linking Audit all
mknod -a entry,always -S mknod creates block or character special files monitors the creation of special files Audit all
mount
umount
umount2
-a entry,always -S mount -S umount -S umount2 Mounts or unmounts a file system Monitors the mounting or unmounting of file systems
Note: For x86_64 architecture, disable umount rule. For ia64 architecture, disable umount2 rule.
Audit all
clone
clone2
fork
vfork
-a entry,always -S clone -S clone2 -S fork -S vfork Creates child processes monitors the creation of child processes
Note: For ia64 architecture, disable fork and vfork and enable clone2.
WARNING: Implementing this rule will cause large amounts of audit data to be produced. Ensure the audit partition and log retention facilities are capable of handling large amounts of audit data before implementing this rule.
off
umask -a entry,always -S umask user file creation mask monitors changes to umask settings Audit all
adjtimex
settimeofday
-a entry,always -S adjtimex -S settimeofday changes the system time monitors changes to the system time Audit all
reboot -a entry, always -S reboot reboot or enable/disable Ctrl-Alt-Del monitors system reboots Audit all
Close

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]