audit review question

Warron S French warron.s.french at aero.org
Tue May 3 18:28:12 UTC 2016 

Steve,
	I typed up the instructions you provided to me on this thread, and I tested them so that I could then print and carry over to another building these implementations steps.

For the most-part implementation was very smooth.  I built a tiny virtual environment with 2 client machines {client1 and client2} and a single server {server1}.  I ran through the steps on the client machines as you described; and also on the server as you described.  I did not stray from your guidance (I realized where below you used the word 'set' you didn't mean to use that word inside the various configurations files explicitly - so I didn't add the word 'set' anywhere.

However, upon completion I ran the command:
ausearch --start recent -m DAEMON_ACCEPT -i

and it returned with the following:
<no matches>

I did this a few times and I did have success once.

I also attempted to use the command:    ausearch --host client1		and I got back 		<no matches>
So I thought maybe I should tail the /var/log/audit.log file to see if I saw any "hostname=client1" entries but I didn't see anything.

So, I have to ask about this part in your email::::
/etc/audisp/audispd.conf
name_format = HOSTNAME  or another suitable option

Was the name_format = HOSTNAME supposed to be set to;  name_format = hostname (the man page for this file indicates the lower-case version) or am I doing something else wrong?  I did allow port 60/tcp through the iptables firewall (and restarted the firewall).



Thank you,

Warron French, MBA, SCSA


-----Original Message-----
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] On Behalf Of Warron S French
Sent: Friday, April 29, 2016 4:21 PM
To: Steve Grubb <sgrubb at redhat.com>
Cc: linux-audit at redhat.com
Subject: [WARNING: SPOOFED E-MAIL--Non-Aerospace Sender] RE: audit review question

Thank you Steve.  That is very helpful.  Have a nice weekend.


Warron French, MBA, SCSA


-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Friday, April 29, 2016 3:18 PM
To: Warron S French <warron.s.french at aero.org>
Cc: linux-audit at redhat.com
Subject: Re: audit review question

On Thursday, April 28, 2016 03:50:33 PM Warron S French wrote:
> Steve, thanks for your replies to all of my questions.
> 
> Can you please send me a walk through document for trying to send the
> 6 workstations and 1 servers audit-data into the same directory structure?
> Something that will definitely work, please?
> 
> I have a VM environment that I can make changes on and then test, so I 
> would be very grateful for any cooperation I could get.
> 
> My intent is to have all the machines log data to the same machine.  I 
> want the system security auditors to be able to use the typical 
> aureport and ausearch commands (that I know you write).
> 
> So, I have to ask, can this be done, and the audit logs be parsed on a 
> per hostname-basis? Can they be stored in directories that are 
> /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that 
> inadvisable considering the intention to continue to support/use the two
> commands: aureport and ausearch?   What would you advise - please?

The theory of operation is to put all events in one log and then separate them later by using a '--node' command line option.


> I am aware of the /etc/audisp directory, which I am sure is associated 
> with the audispd daemon, but I don't have the foggiest clue of how to 
> configure them together.

For a clear text transport

on the client side:

/etc/audisp/plugins.d/au-remote.conf
set active = yes

/etc/audisp/audisp-remote.conf
set remote_server = to the machine you are aggregating to if you need lossless transport, set mode = forward set local_port = 60

/etc/audisp/audispd.conf
name_format = HOSTNAME  or another suitable option

On the server

/etc/audit/auditd.conf
set tcp_listen_port = 60
set tcp_client_ports = 60
set use_libwrap = yes

in /etc/hosts.allow
auditd: 1.2.4.   or some subnet. You can read about all the tcp-wrappers config 
options elsewhere.

restart the server
restart clients

To check if working:
ausearch --start recent -m DAEMON_ACCEPT -i

To get an encrypted transport, you need to use kerberos and that is beyond an email for setting it up.

One of these days I'd like to add TLS as an option, too. But it'll be a little longer. You might be able to vpn things to one another in the mean time. Or maybe use a ssh tunnel.


> It is only because of stumbling around for the last 2 years (and very 
> feverishly the last 2 days) that I have learned how to use the 
> auditctl and aureport commands.  I want to do this correctly, and I 
> want to do it consistently with "industry standards" so that I can 
> continue to get support from people like the folks in this 'forum.'

Sure.

-Steve

> 
> Thanks, for any advice and useful links you can share.  I am certain 
> that as you provide them and I read them it will force me to ask even 
> more questions.  I hope you don't mind.
> 
> Warron French, MBA, SCSA
> 
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Thursday, April 28, 2016 11:10 AM
> To: linux-audit at redhat.com
> Cc: Warron S French <warron.s.french at aero.org>
> Subject: Re: audit review question
> 
> On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> > I have a scenario that I need a little help understanding how to 
> > work through in an isolated environment of 1 server and 6 
> > workstations (7 machines). The 7 machines are all running CentOS-6.7 
> > and selinux = disabled.
> > 
> > All 6 workstations are configured through rsyslog.conf to send audit 
> > data to the server, and I have (but apparently not successfully 
> > configured general system messages to also report back to the same 
> > server). I am using the conventional filesystems for each, but the 
> > directory structure below is different.
> 
> Rsyslog will likely mangle the audit lines such that its no longer in 
> the native audit format. I don't know if its headers can be stripped 
> as it writes to disk.
> > For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log    the
> > directory per day and per month and per year are auto created 
> > (miraculously). For system messages, and I know this isn't the forum 
> > to get help on this so I will only list the directory is - 
> > /var/log/2016/04/27/wk{1..6}_syslog.log.
> > 
> > Now that I am doing this, and successfully, I want to test that the 
> > security auditors will be able to do their job properly, as well as 
> > I am trying to comply with some security constraint that requires me 
> > to centralize the logdata into a single server (hence the major 
> > driver for all of this).
> > 
> > I know that there is the aureport and ausearch command, but I am not 
> > sure that I am able to figure out the correct command-line structure 
> > to test that audit-data is getting into the appropriate file, on 
> > each day of the year, on a per serverName basis.
> > 
> > If a real-world situation occurred that the Security Auditors were 
> > asking to find out how many machines did userX attempt to log into, 
> > what would be the appropriate command for the example audit 
> > directory I listed above 
> > (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not 
> > sure I am running the command with the appropriate switches to scan the files properly?
> > 
> > I used:
> > 
> > *         aureport -if /var/log/audit/2016/04/27/ and it didn't like the
> > input,
> 
> Probably due to the header it inserts to each record. But this is how 
> you should do it.
> > *         aureport -if /var/log/audit/2016/04/27/* and it didn't like the
> > input, am I using the command improperly?
> 
> You shouldn't need the '*'. If the passed option is a dir, then it 
> automatically looks for more files. But note that the native rotation is
> audit.log     <- newest
> audit.log.1
> audit.log.2
> audit.log.3  <- oldest
> 
> rsyslog would also have to use this scheme. I have never investigated 
> if it does. That does not means that a wrapper script couldn't be made 
> to walk the files in rsyslog's order and send them to aureport via 
> stdin. You could probably even add a sed command to strip the rsyslog 
> headers from each record.
> 
> Not the best answer, but once it hits rsyslog, it can change the 
> record in ways that unknown to me.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list