From mboxrd@z Thu Jan 1 00:00:00 1970 From: Clif Flynt Subject: New List Member: Intro & comments Date: Mon, 31 Jul 2006 13:14:37 -0400 Message-ID: <20060731171437.GA447@clif.cflynt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6VHIJdN020630 for ; Mon, 31 Jul 2006 13:18:19 -0400 Received: from mail02.ic.net (mail02.ic.net [152.160.7.138]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k6VHIA4I007852 for ; Mon, 31 Jul 2006 13:18:10 -0400 Received: from ic.net (relay084.ic.net [152.160.8.94]) by mail02.ic.net (Postfix) with SMTP id 6FAB497F069 for ; Mon, 31 Jul 2006 13:18:09 -0400 (EDT) Received: from clif.cflynt.com (clif.cflynt.com [192.168.9.2]) by keep.cflynt.com (8.12.10/8.12.10) with ESMTP id k6VHEjIo004069 for ; Mon, 31 Jul 2006 13:14:50 -0400 Received: from clif.cflynt.com (localhost.localdomain [127.0.0.1]) by clif.cflynt.com (8.12.11/8.12.11) with ESMTP id k6VHEb32000586 for ; Mon, 31 Jul 2006 13:14:38 -0400 Received: (from clif@localhost) by clif.cflynt.com (8.12.11/8.12.11/Submit) id k6VHEb8X000585 for linux-audit@redhat.com; Mon, 31 Jul 2006 13:14:37 -0400 Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, I'm primarily an applications developer, though I wear a sys-admin/security-admin hat when necessary. I've done kernel hacking on V-7 and System-3 in the bad old days, but mostly stick in userland now. My current goal is to get some OpenSuse 10.1 systems DSS certified. I've been a RedHat user since about RH4 or 5, but this project decided to standardize on SuSE. My focus for using auditd isn't so much to make a truly secure and well audited system, but to answer the specific DSS/NISPOM Chapter 8 requirements. SuSE supports AppArmor and the auditd security products, but has very little SELinux support. As I read things, AppArmor doesn't support the file audit requirements, but Auditd can meet the DSS requirements. I've updated the standard SuSE 10.1 kernel to 2.6.17.6 and brought in the 3.0 glibc kernel headers. With these hacks, I can get the 1.2.5 auditd package to compile and install. It appears to be working. Auditd 1.2.5 doesn't quite do what I need, but I'm getting close. It has the framework, but it seems to take a little work to get the answers I really want, and to handle the requirements for record maintenance. 1) Auditing and reporting I've copied the SYSCALL rules from the capp.rules sample, and I think that covers what DSS will need audited. (Still checking and confirming that I haven't missed anything obvious.) To get the answers I wanted a bit more easily, I've made a GUI based search tool that lets me specify reports with a bit more precision and build customized reports. It's functional code, but is not pretty, and gets pretty ugly when the data is way outside what I expected. 2) Maintaining records The traditional log-rotate with N logs makes it difficult to keep X days of logs. When the system is busy, I can rotate the logs every 10 minutes. I've put together a small cron job that looks for audit.log.1, filters out some data I know I won't want, and zips it into a file with a name based on the timestamp. My current report generator builds an SQLite database on the fly from the flat ASCII logs. I'm thinking that the next rev of the file rotation code will move the data to an SQLite database instead of gzipped flat files and save that step. I'm using SQLite instead of mySQL or Postgres because it it's fast, mature and robust and doesn't require any database server (or dbadmin) to run it. I put together a small audisp test application to read from stdin and save data in a timestamped file. When I run this, I get nothing but empty reads, and finally an EOF from auditd. I'm expecting to see plain ASCII input. Is this not what is sent to the audisp target? I just tried the sample.c application, compiled it to a.out and put that into the auditd.conf file. When I restart audispd, I see no output in /var/log/messages, and a.out does not show in the process stack. If I just run /tmp/a.out and type something, output appears in /var/log/messages. If any of this is of interest or use, let me know, and I'll make it available to the community. Thanks, Clif -- .... Clif Flynt ... http://www.cflynt.com ... clif@cflynt.com ... .. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman .. ..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL .. ............. http://www.tcl.tk/community/tcl2006/ ............