From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit review question Date: Tue, 03 May 2016 14:53 -0400 Message-ID: <1489197.J3cpUzIM1N@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Warron S French Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Tuesday, May 03, 2016 06:28:12 PM Warron S French wrote: > Steve, > I typed up the instructions you provided to me on this thread, and I > tested them so that I could then print and carry over to another building > these implementations steps. > > For the most-part implementation was very smooth. I built a tiny virtual > environment with 2 client machines {client1 and client2} and a single > server {server1}. I ran through the steps on the client machines as you > described; and also on the server as you described. I did not stray from > your guidance (I realized where below you used the word 'set' you didn't > mean to use that word inside the various configurations files explicitly - > so I didn't add the word 'set' anywhere. > > However, upon completion I ran the command: > ausearch --start recent -m DAEMON_ACCEPT -i This would be on the aggregating server. The accept events record a client connecting to the aggregating server. > and it returned with the following: > The assuming this was run on the server, the client is not connecting to the server. Was there anything in the client's syslog? > I did this a few times and I did have success once. > > I also attempted to use the command: ausearch --host client1 and I got > back So I thought maybe I should tail the /var/log/audit.log > file to see if I saw any "hostname=client1" entries but I didn't see > anything. > > So, I have to ask about this part in your email:::: > /etc/audisp/audispd.conf > name_format = HOSTNAME or another suitable option > > Was the name_format = HOSTNAME supposed to be set to; name_format = > hostname (the man page for this file indicates the lower-case version) or > am I doing something else wrong? I did allow port 60/tcp through the > iptables firewall (and restarted the firewall). Its case insensitive. Check the syslogs on client and server, There should be something there if the connection is not working. -Steve > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] > On Behalf Of Warron S French Sent: Friday, April 29, 2016 4:21 PM > To: Steve Grubb > Cc: linux-audit@redhat.com > Subject: [WARNING: SPOOFED E-MAIL--Non-Aerospace Sender] RE: audit review > question > > Thank you Steve. That is very helpful. Have a nice weekend. > > > Warron French, MBA, SCSA > > > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Friday, April 29, 2016 3:18 PM > To: Warron S French > Cc: linux-audit@redhat.com > Subject: Re: audit review question > > On Thursday, April 28, 2016 03:50:33 PM Warron S French wrote: > > Steve, thanks for your replies to all of my questions. > > > > Can you please send me a walk through document for trying to send the > > 6 workstations and 1 servers audit-data into the same directory structure? > > Something that will definitely work, please? > > > > I have a VM environment that I can make changes on and then test, so I > > would be very grateful for any cooperation I could get. > > > > My intent is to have all the machines log data to the same machine. I > > want the system security auditors to be able to use the typical > > aureport and ausearch commands (that I know you write). > > > > So, I have to ask, can this be done, and the audit logs be parsed on a > > per hostname-basis? Can they be stored in directories that are > > /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that > > inadvisable considering the intention to continue to support/use the two > > commands: aureport and ausearch? What would you advise - please? > > The theory of operation is to put all events in one log and then separate > them later by using a '--node' command line option. > > I am aware of the /etc/audisp directory, which I am sure is associated > > with the audispd daemon, but I don't have the foggiest clue of how to > > configure them together. > > For a clear text transport > > on the client side: > > /etc/audisp/plugins.d/au-remote.conf > set active = yes > > /etc/audisp/audisp-remote.conf > set remote_server = to the machine you are aggregating to if you need > lossless transport, set mode = forward set local_port = 60 > > /etc/audisp/audispd.conf > name_format = HOSTNAME or another suitable option > > On the server > > /etc/audit/auditd.conf > set tcp_listen_port = 60 > set tcp_client_ports = 60 > set use_libwrap = yes > > in /etc/hosts.allow > auditd: 1.2.4. or some subnet. You can read about all the tcp-wrappers > config options elsewhere. > > restart the server > restart clients > > To check if working: > ausearch --start recent -m DAEMON_ACCEPT -i > > To get an encrypted transport, you need to use kerberos and that is beyond > an email for setting it up. > > One of these days I'd like to add TLS as an option, too. But it'll be a > little longer. You might be able to vpn things to one another in the mean > time. Or maybe use a ssh tunnel. > > It is only because of stumbling around for the last 2 years (and very > > feverishly the last 2 days) that I have learned how to use the > > auditctl and aureport commands. I want to do this correctly, and I > > want to do it consistently with "industry standards" so that I can > > continue to get support from people like the folks in this 'forum.' > > Sure. > > -Steve > > > Thanks, for any advice and useful links you can share. I am certain > > that as you provide them and I read them it will force me to ask even > > more questions. I hope you don't mind. > > > > Warron French, MBA, SCSA > > > > -----Original Message----- > > From: Steve Grubb [mailto:sgrubb@redhat.com] > > Sent: Thursday, April 28, 2016 11:10 AM > > To: linux-audit@redhat.com > > Cc: Warron S French > > Subject: Re: audit review question > > > > On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote: > > > I have a scenario that I need a little help understanding how to > > > work through in an isolated environment of 1 server and 6 > > > workstations (7 machines). The 7 machines are all running CentOS-6.7 > > > and selinux = disabled. > > > > > > All 6 workstations are configured through rsyslog.conf to send audit > > > data to the server, and I have (but apparently not successfully > > > configured general system messages to also report back to the same > > > server). I am using the conventional filesystems for each, but the > > > directory structure below is different. > > > > Rsyslog will likely mangle the audit lines such that its no longer in > > the native audit format. I don't know if its headers can be stripped > > as it writes to disk. > > > > > For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the > > > directory per day and per month and per year are auto created > > > (miraculously). For system messages, and I know this isn't the forum > > > to get help on this so I will only list the directory is - > > > /var/log/2016/04/27/wk{1..6}_syslog.log. > > > > > > Now that I am doing this, and successfully, I want to test that the > > > security auditors will be able to do their job properly, as well as > > > I am trying to comply with some security constraint that requires me > > > to centralize the logdata into a single server (hence the major > > > driver for all of this). > > > > > > I know that there is the aureport and ausearch command, but I am not > > > sure that I am able to figure out the correct command-line structure > > > to test that audit-data is getting into the appropriate file, on > > > each day of the year, on a per serverName basis. > > > > > > If a real-world situation occurred that the Security Auditors were > > > asking to find out how many machines did userX attempt to log into, > > > what would be the appropriate command for the example audit > > > directory I listed above > > > (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not > > > sure I am running the command with the appropriate switches to scan the > > > files properly? > > > > > > I used: > > > > > > * aureport -if /var/log/audit/2016/04/27/ and it didn't like the > > > input, > > > > Probably due to the header it inserts to each record. But this is how > > you should do it. > > > > > * aureport -if /var/log/audit/2016/04/27/* and it didn't like > > > the > > > input, am I using the command improperly? > > > > You shouldn't need the '*'. If the passed option is a dir, then it > > automatically looks for more files. But note that the native rotation is > > audit.log <- newest > > audit.log.1 > > audit.log.2 > > audit.log.3 <- oldest > > > > rsyslog would also have to use this scheme. I have never investigated > > if it does. That does not means that a wrapper script couldn't be made > > to walk the files in rsyslog's order and send them to aureport via > > stdin. You could probably even add a sed command to strip the rsyslog > > headers from each record. > > > > Not the best answer, but once it hits rsyslog, it can change the > > record in ways that unknown to me. > > > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit