AUDITs needed

Fri Jul 14 22:03:35 UTC 2017

This may be faster and also a better way to summarize and share with others.
I will list the AUDIT(test#letter) and then below it place *Method of
implementation:* and if the field is marked in green, it is validated by
someone
from linux-audit at redhat.com (Steve Grubb for example) and the text provided
will answer the question for other sysadmins with similar requirements (on
a per test#letter basis).

I am presenting what I need to know how to audit, in hopes to illicit a
response of "BUILTIN" or a link or some text that clarifies what to do:

*AUDIT(A): Logons/Logoffs (success/failure)*
Method of implementation:  Builtin to AUDITD (enable auditd)

*AUDIT(B): User {additions, deletions, modifications, suspensions and
lockings}*
Method of implementation:  Builtin to AUDITD (enable auditd)

*AUDIT(C): Group and Role {additions, deletions and modifications}*
Method of implementation:  Builtin to AUDITD (enable auditd)

*AUDITD(D): Security or Audit Policies*
Method of implementation:

*AUDIT(E): Configuration Changes* (please be patient with me, as I believe
this is way too broad a definition from my security people; however, there
is a field from aureport called "*Number of changes in configuration:*" too.
Method of implementation:
can this be done by;      *-w /etc/  -p raw -k config_changes*     even
this seems too broad a solution and I don't believe it will capture the
essence of

*AUDIT(E).*

*AUDIT(F): Admin/Root-level accesses*
Method of implementation:
can this be done by;  *-w /bin/su -p x -k running_as_root      -w /bin/sudo
-p x -k running_as_root          -w /sbin/runuser -p x -k running_as_root*

*AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs from
AUDIT(F) from my management/security people)
Method of implementation:

*AUDIT(H): System reboot/shutdown/change run-state*Method of implementation:
can this be done by;    *-w /sbin/init -p x -k run_state      -w
/sbin/telinit -p x -k run_state*

*-w /sbin/shutdown -p x -k run_state  -w /sbin/reboot -p x -k run_state
etc.. etc.. etc..*
*AUDIT(I): Application Initialization*  (seems way to vague to me, don't
you all agree?)
Method of implementation:

*AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like
DvDs/CD), etc..
*)*Method of implementation:
can this be done by -a .... -F arch=b64  -S mount -S umount2 -F auid>=1000
-F auid!=4294967295 -k mount_datawrite_operations?  No, what do I use?

*AUDIT(K): Print to a device or file*Method of implementation:

*AUDIT(L): Audit data and log data access *(nevremind, this would kill a
system - correct, unless I limit monitoring to audit.log.*)
Method of implementation:

*AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch 1
or more than 1 individual doing something devious as a team in conjunction
with *AUDIT(J)*?)
Method of implementation:

Thank you for your vast patience and cooperation.
--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170714/12888952/attachment.htm>