AUDIT changes - true sense of security
Warron S French
warron.s.french at aero.org
Fri Mar 18 13:14:31 UTC 2016
Hello all,
I do work that requires me to configure auditing on my systems. I am a relative novice to the audit configurations in most operating systems.
I have an issue, I believe, and I am asking for help on how to properly address/assess it.
I have been given guidance in support of auditing on CentOS-6.x systems:
1. To place various watch (-w) and action (-a) rules into place.
2. Make certain the configurations are immutable.
Sometimes I have to add more rules, so I do that. However, I am not certain if the rules are working properly, and I do know that I have broken the auditd init-scripts on my systems a few times, and just commented out the offending audit controls to work around/fix this very type of problem.
What I need to know is, since the configurations have to be immutable ( with the -e 2) how can I properly start the audit service, and without any inkling of a doubt be certain that the rules are in place and are functioning properly?
Also, being a total novice, how can I test/trigger audit log actions on watch and action rules to see that the rules are configured properly?
Finally, is there a tool that will do a sanity check on the audit.rules file? Or is the only option to attempt to restart the auditd service, and think "It started, it worked!" is acceptable?
I just don't want a false sense of security, I also don't want a nagging sense of paranoia.
Thank you,
Warron French, MBA, SCSA
The Aerospace Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160318/d4d22084/attachment.htm>
More information about the Linux-audit
mailing list