audit-tools and SUDO
Burn Alting
burn at swtf.dyndns.org
Tue May 10 12:52:21 UTC 2016
On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote:
> Good morning everyone,
>
>
>
> I am working on an environment where I have managed to get centralized
> audit logging to work – roughly 95% properly on six (6) CentOS-6.7
> workstations and a single (1) CentOS-6.7 server.
>
>
>
> I have two problems though; and they seem somewhat minor:
>
>
>
> 1. The audit events being captured don’t seem to be tied to any
> given node (so that I can perform ausearch --node hostName, or
> aureport), that’s the first issue.
What have you set the configuration parameter 'name_format'
in /etc/audit/auditd.conf to?
One assumes you may want to set
name_format = fqd
or
name_format = hostname
After the change on each host, don't forget to reload the configuration
with either a sighup on the auditd process or just restart the service.
>
> 2. The second issue is that I need to configure sudo to enable my
> Special Security Team with the ability to perform their duties using
> the aureport and the ausearch commands, but I get an error that
> appears to be based on permissions.
>
I recommend you show the command and resultant error in situations like
this. That way we can provide a more informed response.
>
>
> I am hoping that you guys can steer me in the correct direction; and I
> can update my documentation to be even a little more thorough.
>
>
>
> Scenario2, might be more of a membership issue now that I think about
> it; so please disregard as I think this is some weird 389-ds issue.
>
>
>
> I am hoping though that someone can suggest a reason why, when I look
> directly at the content of the /var/log/audit/audit.log I am not see
> any references to node=hostname1, hostname2 .. hostnameN? Maybe I did
> misconfigure something, but I followed my own instructions to the “T”
> and they didn’t produce this issue.
>
>
>
>
>
>
>
> Thank you in advance for your precious time sincerely,
>
>
>
> Warron French, MBA, SCSA
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list