AUDIT changes - true sense of security

Warron S French warron.s.french at aero.org
Fri Mar 18 15:45:20 UTC 2016 

Hello sir, 
The command with the '-l' argument, is that auditctl?
The command with the '-s' argument... what is that one called, auditd?


Thanks for replying so quickly, sorry for being a nag.

Warron French, MBA, SCSA
The Aerospace Corporation

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Friday, March 18, 2016 9:56 AM
To: linux-audit at redhat.com
Cc: Warron S French <warron.s.french at aero.org>
Subject: Re: AUDIT changes - true sense of security

On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to 
> properly address/assess it.
> 
> I have been given guidance in support of auditing on CentOS-6.x systems:
> 
> 1.       To place various watch (-w) and action (-a) rules into place.
> 
> 2.       Make certain the configurations are immutable.
> 
> Sometimes I have to add more rules, so I do that.   However, I am not
> certain if the rules are working properly, and I do know that I have 
> broken the auditd init-scripts on my systems a few times, and just 
> commented out the offending audit controls to work around/fix this very type of problem.

While you are experimenting, do not put in the -e 2 configuration option.
 
> 
> 
> What I need to know is, since the configurations have to be immutable 
> ( with the -e 2) how can I properly start the audit service, and 
> without any inkling of a doubt be certain that the rules are in place 
> and are functioning properly?

There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working.


> Also, being a total novice, how can I test/trigger audit log actions 
> on watch and action rules to see that the rules are configured properly?

If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one.


> Finally, is there a tool that will do a sanity check on the audit.rules file? 

auditctl reports any problems that it sees with the rules.


> Or is the only option to attempt to restart the auditd service, and 
> think "It started, it worked!" is acceptable?

List the rules and status the audit subsystem.

-Steve

More information about the Linux-audit mailing list