AUDIT changes - true sense of security
Warron S French
warron.s.french at aero.org
Fri Mar 18 15:45:20 UTC 2016
Hello sir,
The command with the '-l' argument, is that auditctl?
The command with the '-s' argument... what is that one called, auditd?
Thanks for replying so quickly, sorry for being a nag.
Warron French, MBA, SCSA
The Aerospace Corporation
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Friday, March 18, 2016 9:56 AM
To: linux-audit at redhat.com
Cc: Warron S French <warron.s.french at aero.org>
Subject: Re: AUDIT changes - true sense of security
On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to
> properly address/assess it.
>
> I have been given guidance in support of auditing on CentOS-6.x systems:
>
> 1. To place various watch (-w) and action (-a) rules into place.
>
> 2. Make certain the configurations are immutable.
>
> Sometimes I have to add more rules, so I do that. However, I am not
> certain if the rules are working properly, and I do know that I have
> broken the auditd init-scripts on my systems a few times, and just
> commented out the offending audit controls to work around/fix this very type of problem.
While you are experimenting, do not put in the -e 2 configuration option.
>
>
> What I need to know is, since the configurations have to be immutable
> ( with the -e 2) how can I properly start the audit service, and
> without any inkling of a doubt be certain that the rules are in place
> and are functioning properly?
There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working.
> Also, being a total novice, how can I test/trigger audit log actions
> on watch and action rules to see that the rules are configured properly?
If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one.
> Finally, is there a tool that will do a sanity check on the audit.rules file?
auditctl reports any problems that it sees with the rules.
> Or is the only option to attempt to restart the auditd service, and
> think "It started, it worked!" is acceptable?
List the rules and status the audit subsystem.
-Steve
More information about the Linux-audit
mailing list