From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit review question Date: Thu, 28 Apr 2016 11:09:51 -0400 Message-ID: <5168316.VjEz05O2MH@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote: > I have a scenario that I need a little help understanding how to work > through in an isolated environment of 1 server and 6 workstations (7 > machines). The 7 machines are all running CentOS-6.7 and selinux = > disabled. > > All 6 workstations are configured through rsyslog.conf to send audit data to > the server, and I have (but apparently not successfully configured general > system messages to also report back to the same server). I am using the > conventional filesystems for each, but the directory structure below is > different. Rsyslog will likely mangle the audit lines such that its no longer in the native audit format. I don't know if its headers can be stripped as it writes to disk. > For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the > directory per day and per month and per year are auto created > (miraculously). For system messages, and I know this isn't the forum to get > help on this so I will only list the directory is - > /var/log/2016/04/27/wk{1..6}_syslog.log. > > Now that I am doing this, and successfully, I want to test that the security > auditors will be able to do their job properly, as well as I am trying to > comply with some security constraint that requires me to centralize the > logdata into a single server (hence the major driver for all of this). > > I know that there is the aureport and ausearch command, but I am not sure > that I am able to figure out the correct command-line structure to test > that audit-data is getting into the appropriate file, on each day of the > year, on a per serverName basis. > > If a real-world situation occurred that the Security Auditors were asking to > find out how many machines did userX attempt to log into, what would be the > appropriate command for the example audit directory I listed above > (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not sure I am > running the command with the appropriate switches to scan the files > properly? > > I used: > > * aureport -if /var/log/audit/2016/04/27/ and it didn't like the > input, Probably due to the header it inserts to each record. But this is how you should do it. > * aureport -if /var/log/audit/2016/04/27/* and it didn't like the > input, am I using the command improperly? You shouldn't need the '*'. If the passed option is a dir, then it automatically looks for more files. But note that the native rotation is audit.log <- newest audit.log.1 audit.log.2 audit.log.3 <- oldest rsyslog would also have to use this scheme. I have never investigated if it does. That does not means that a wrapper script couldn't be made to walk the files in rsyslog's order and send them to aureport via stdin. You could probably even add a sed command to strip the rsyslog headers from each record. Not the best answer, but once it hits rsyslog, it can change the record in ways that unknown to me. -Steve