Re: audisp-prelude problems

Re: audisp-prelude problems

[LC Bruzenak]

On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:

> 
> I know how to activate the audisp-plugin, what I asked is how can I use it.
> 
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.

OK.
That's what the auditd does if the remote host is also SElinux.

So - next questions:

* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side. 

* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?

If the latter is the case, there are ways of doing this now depending on
your intent. 

Also this is an area Steve has discussed may be open for modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audisp-prelude problems

[Loredan Stancu]

On the same topic, I sow that audisp-remote plugin can send events remote
using a secure connection(transport = ssl in audisp-remote.conf file).

When using tcp as a transport method events arrive to the a aggregation
auditd but when using ssl no event arrive?

How can I use a secure connection to transmit events?


> On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote:
>> Now I'll have to user  audisp-remote plugin to centralize events.
>
> One further refinement to what I said yesterday about remote logging. You
> probably want to set the local_port value to something < 1024 in the
> remote
> configuration files. Then in the aggregating auditd, set the
> tcp_client_ports to
> the same thing.
>
> This is a security feature to prevent random user space apps from trying
> audit
> log injection attacks. For experimenting or casual use you don't need to
> set
> these up, but for production use you must.
>
> If you use kerberos authentication, then you have even more protection.
> But
> setting up kerberos for this is a little more than I want to explain.
>
> -Steve
>

Re: audisp-prelude problems

[Steve Grubb]

On Thursday 04 December 2008 10:38:53 Loredan Stancu wrote:
> On the same topic, I sow that audisp-remote plugin can send events remote
> using a secure connection(transport = ssl in audisp-remote.conf file).

That is a mistake and I'll fix it in svn right now.


> How can I use a secure connection to transmit events?

Kerberos is the encrypted and authenticated way to send events.

-Steve

Re: audisp-prelude problems

[Loredan Stancu]

Thanks a lot Steve, now it works. It was because pam was not compiled with
audit support. Now events are generated when a user is logged from a
console, terminal or when using ssh.

Now I'll have to user  audisp-remote plugin to centralize events.


> On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
>> I recompiled sshd with support for pam on the gentoo machine and the
>> following event is logged when using "UsePAM yes" in sshd_config file:
>>
>> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
>> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
>
> This is from the kernel when pam_loginuid sets the loginuid. Its very
> important for all entry point daemons to set this (login, remote, gdm,
> sshd,
> kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit
> events.
> I believe that recent pam versions (0.9 or higher) automatically use
> libaudit
> if its present when compiling. You might double check what ./configure
> --help
> shows on your distro.
>
>
>> And also on fedora machine events are generated when a user is logging
>> in
>> local or using a terminal or a console. On gentoo machine no events are
>> generated when a user is logged in from a terminal or console.
>
> There is a fair amount of enabling audit all over the place. I guess this
> is a
> disadvantage for a do it yourself distribution. There's things in pam, and
> probably 10-15 packages that are audit aware.
>
>
>> What is happen on fedora is ok and I also want this happen on gentoo.
>> Have
>> you any idea why not the same events are generated on gentoo like is
>> generated in fedora?
>
> I suspect that you needed libaudit built and installed early in the
> process of
> building Gentoo if you compiled it yourself. If you didn't build it, then
> they
> must not place a high priority on this security feature. I don't follow
> the
> Gentoo distribution, so what I just said could be all wrong. But I think
> if
> libaudit is missing early in the build process, lots of things won't find
> it
> and disable audit support.
>
>
>> Has Fedora something which may not have or may not be included?
>
> We send everything upstream so that everyone can benefit. Even that patch
> for
> sshd I referred you to was sent upstream, but they have not accepted it.
>
> -Steve
>

Re: audisp-prelude problems

[Steve Grubb]

On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote:
> Now I'll have to user  audisp-remote plugin to centralize events.

One further refinement to what I said yesterday about remote logging. You 
probably want to set the local_port value to something < 1024 in the remote 
configuration files. Then in the aggregating auditd, set the tcp_client_ports to 
the same thing.

This is a security feature to prevent random user space apps from trying audit 
log injection attacks. For experimenting or casual use you don't need to set 
these up, but for production use you must.

If you use kerberos authentication, then you have even more protection. But 
setting up kerberos for this is a little more than I want to explain.

-Steve

Re: audisp-prelude problems

[Loredan Stancu]

I just installed Fedora Core 10 on VmWare machine and
auditd/audisp-prelude seams to work fine.

I recompiled sshd with support for pam on the gentoo machine and the
following event is logged when using "UsePAM yes" in sshd_config file:

node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5

This is the only event which was generated when a user is logged in using
ssh.


On fedora machine more events are generate when a user is logged in using
ssh:


node=127.0.0.1 type=USER_LOGIN msg=audit(1228402657.814:16): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="darkone":
exe="/usr/sbin/sshd" (hostname=?, addr=172.16.53.1, terminal=sshd
res=failed)'
node=127.0.0.1 type=USER_AUTH msg=audit(1228402662.417:17): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_ACCT msg=audit(1228402662.425:18): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.428:19): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=LOGIN msg=audit(1228402662.430:20): login pid=2735
uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4
node=127.0.0.1 type=USER_START msg=audit(1228402662.430:21): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.432:22): user pid=2740
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402662.435:23): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='uid=500: exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=/dev/pts/2 res=success)'


And also on fedora machine events are generated when a user is logging in
local or using a terminal or a console. On gentoo machine no events are
generated when a user is logged in from a terminal or console.

Pam configuration on gentoo:
# cat /etc/pam.d/sshd

auth		required	pam_tally.so file=/var/log/faillog onerr=succeed
auth		required	pam_shells.so
auth		required	pam_nologin.so
auth		include		system-auth

account		required	pam_access.so
account		required	pam_nologin.so
account		include		system-auth
account		required	pam_tally.so file=/var/log/faillog onerr=succeed

password	include		system-auth

session    required     pam_loginuid.so
session    optional     pam_console.so

session		required	pam_env.so
session		optional	pam_lastlog.so
session		include		system-auth
session		optional	pam_motd.so motd=/etc/motd
session		optional	pam_mail.so



PAM configuration on Fedora machine:
# cat /etc/pam.d/sshd

auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke


# cat /etc/pam.d/system-auth
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so



What is happen on fedora is ok and I also want this happen on gentoo. Have
you any idea why not the same events are generated on gentoo like is
generated in fedora? I have to add something else to pam on gentoo? Has
Fedora something which may not have or may not be included?





> On Wednesday 03 December 2008 12:58:24 you wrote:
>> Another question: Can auditd generate events when a user is logging in
>> using ssh? That implies ssh use pam?
>
> There are 2 sets of events being sent, auth/acct/session open/close are
> from
> pam. But cron sends the same events. So, sshd itself sends another event
> USER_LOGIN that is to signify that the pam events are associated with a
> login
> and what the final result were.
>
>
>> I ask this because I want use audit in a production server and I'm not
>> allowed to manually install packages. I am allowed to only use emerge to
>> install packages. At this moment I do not have a USE flag(gentoo
>> specific)
>> corresponding to --with-linux-audit.
>
> I guess Gentoo is unpatched. Things will not work right without that last
> patch. All analysis software is predicated on seeing that event.
>
>
>> @Steve :) : Can you help me please with audisp-remote? I'll explain
>> again
>> what I want to do:
>> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
>> M3 is a centralized machine events. On M1 and M2 runs auditd and
>> audisp-remote.
>> audisp-remote sends events to M3. I know how to configure auditd and
>> audisp-remote on M1 and M3. What I don't know is what should I do on M3
>> so
>> that it can receive events from M1 and M2 and store this events in
>> regular
>> file.
>
> You only have to set its tcp_listen_port to the same one that M1 & M2 are
> trying to connect on, update tcp_wrappers hosts.allow file to allow M1 &
> M2 to
> connect, then if you have selinux, you need to tell it what port you are
> using, and you also need to punch a hole in your firewall for that port.
>
>
>> > And you are able to load and list the 2 rules I sent above? Can you
>> find
>> > the results with ausearch --start today -k mkexe -m SYSCALL ?
>>
>> Yes, I could load that rules and this is what si loaded when a file gets
>> eecution rights:
>
> This looks fine. It should be working for you, then.
>
> -Steve
>

Re: audisp-prelude problems

[Steve Grubb]

On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
> I recompiled sshd with support for pam on the gentoo machine and the
> following event is logged when using "UsePAM yes" in sshd_config file:
>
> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5

This is from the kernel when pam_loginuid sets the loginuid. Its very 
important for all entry point daemons to set this (login, remote, gdm, sshd, 
kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events. 
I believe that recent pam versions (0.9 or higher) automatically use libaudit 
if its present when compiling. You might double check what ./configure --help 
shows on your distro.


> And also on fedora machine events are generated when a user is logging in
> local or using a terminal or a console. On gentoo machine no events are
> generated when a user is logged in from a terminal or console.

There is a fair amount of enabling audit all over the place. I guess this is a 
disadvantage for a do it yourself distribution. There's things in pam, and 
probably 10-15 packages that are audit aware.


> What is happen on fedora is ok and I also want this happen on gentoo. Have
> you any idea why not the same events are generated on gentoo like is
> generated in fedora? 

I suspect that you needed libaudit built and installed early in the process of 
building Gentoo if you compiled it yourself. If you didn't build it, then they 
must not place a high priority on this security feature. I don't follow the 
Gentoo distribution, so what I just said could be all wrong. But I think if 
libaudit is missing early in the build process, lots of things won't find it 
and disable audit support.


> Has Fedora something which may not have or may not be included?

We send everything upstream so that everyone can benefit. Even that patch for 
sshd I referred you to was sent upstream, but they have not accepted it.

-Steve

Re: audisp-prelude problems

[Loredan Stancu]

> On Wednesday 03 December 2008 09:57:48 Loredan Stancu wrote:
>> >> 1. audisp-prelude plugin is not generating events when a user is
>> logged
>> >> in.
>> >
>> > Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
>> > Without that, you won't see anything.
>>
>> This is the problem that no USER_LOGIN appears in the log file. No
>> events
>> are generated when a user is logged in.
>
> You likely need to compile openssh with a "--with-linux-audit" option to
> the
> configure line. If your distribution does not have the openssh audit
> patch, you
> can find it here:
>
> http://cvs.fedora.redhat.com/viewvc/devel/openssh/openssh-4.7p1-
> audit.patch?revision=1.1

Another question: Can auditd generate events when a user is logging in
using ssh? That implies ssh use pam? I ask this because I want use audit
in a production server and I'm not allowed to manually install packages. I
am allowed to only use emerge to install packages. At this moment I do not
have a USE flag(gentoo specific) corresponding to --with-linux-audit.

@Steve :) : Can you help me please with audisp-remote? I'll explain again
what I want to do:
Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
M3 is a centralized machine events. On M1 and M2 runs auditd and
audisp-remote.
audisp-remote sends events to M3. I know how to configure auditd and
audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
that it can receive events from M1 and M2 and store this events in regular
file.

After this is clarified I'll see haw should I do to separate events based
on the node machine(M1 and M2).

>
>> >> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
>> >
>> > For which event? The loginuid is mostly what I concentrated on since
>> that
>> > tells you how they got into the machine.
>>
>> For any events. I am using prelude-manager and prewikka and I can't see
>> any uid or gid of any events.
>
> I'll check what I'm collecting. But I'm sure that loginuid should be there
> whenever its relevant.
>
>
>> >> 3. No events are generate for watched files/exec/mk_exe  if no tow -k
>> >> options are specified in the rule. One of the -k options should
>> contain
>> >> '-k ids-type-severity' and another -k may contain anything. If you
>> >> specify
>> >> only one -k options no events are generated.
>> >
>> > You need 2 rules to cover this:
>> >
>> > auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F
>> > filetype=file
>> >   -k ids-mkexe-hi
>> > auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111'
>> >   -F filetype=file -k ids-mkexe-hi
>> >
>> > It works fine on my system. Also note that it depends on having a
>> recent
>> > kernel.
>>
>> On Gentoo linux I'm using kernel version 2.6.26-gentoo-r3 and on Debian
>> system I'm using kernel version 2.6.26-1-686
>> In both kernels I have support for audit and inotify.
>
> And you are able to load and list the 2 rules I sent above? Can you find
> the
> results with ausearch --start today -k mkexe -m SYSCALL ? You might also
> strace the app that's making executables that you are trying to catch to
> make
> sure you have a rule that will catch it.

Yes, I could load that rules and this is what si loaded when a file gets
eecution rights:

type=SYSCALL msg=audit(1228324240.067:14): arch=40000003 syscall=306
success=yes exit=0 a0=ffffff9c a1=80550b8 a2=1ed a3=80550b8 items=1
ppid=7828 pid=16847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chmod"
exe="/bin/chmod" key="ids-mkexe-hi"
type=CWD msg=audit(1228324240.067:14):  cwd="/usr/local/audit"
type=PATH msg=audit(1228324240.067:14): item=0
name="/home/darkone/testfile" inode=65247 dev=08:03 mode=0100644 ouid=1000
ogid=1000 rdev=00:00


>> >> Another question is how I can use audisp-remote to send events
>> somewhere
>> >> remote?
>
> I think I answered this in the other email, but to be clear, the
> audisp-remote
> plugin wants to talk to a remove audit daemon. So the chain of custody for
> an
> event looks like:
>
> kernel->auditd->audispd->audisp-remote->auditd->file
>
> -Steve
>

Re: audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 12:58:24 you wrote:
> Another question: Can auditd generate events when a user is logging in
> using ssh? That implies ssh use pam?

There are 2 sets of events being sent, auth/acct/session open/close are from 
pam. But cron sends the same events. So, sshd itself sends another event 
USER_LOGIN that is to signify that the pam events are associated with a login 
and what the final result were.


> I ask this because I want use audit in a production server and I'm not
> allowed to manually install packages. I am allowed to only use emerge to
> install packages. At this moment I do not have a USE flag(gentoo specific)
> corresponding to --with-linux-audit.

I guess Gentoo is unpatched. Things will not work right without that last 
patch. All analysis software is predicated on seeing that event.


> @Steve :) : Can you help me please with audisp-remote? I'll explain again
> what I want to do:
> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
> M3 is a centralized machine events. On M1 and M2 runs auditd and
> audisp-remote.
> audisp-remote sends events to M3. I know how to configure auditd and
> audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
> that it can receive events from M1 and M2 and store this events in regular
> file.

You only have to set its tcp_listen_port to the same one that M1 & M2 are 
trying to connect on, update tcp_wrappers hosts.allow file to allow M1 & M2 to 
connect, then if you have selinux, you need to tell it what port you are 
using, and you also need to punch a hole in your firewall for that port.


> > And you are able to load and list the 2 rules I sent above? Can you find
> > the results with ausearch --start today -k mkexe -m SYSCALL ? 
>
> Yes, I could load that rules and this is what si loaded when a file gets
> eecution rights:

This looks fine. It should be working for you, then.

-Steve

Re: audisp-prelude problems

[Loredan Stancu]

> On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
>>
>> I know how to activate the audisp-plugin, what I asked is how can I use
>> it.
>>
>> What I need is an example of an application which can stay on the remote
>> host, listen for incoming events send by audisp-remote plugin and store
>> these events in a regular file.
>
> OK.
> That's what the auditd does if the remote host is also SElinux.
>
> So - next questions:
>
> * Is the remote host not a SElinux machine? You'd need to emulate the
> protocol on the receive side.
>
> * If it is a SElinux machine (F9/F10/other?), do you want the
> originating events in a different place than the default? Like separated
> by sending host instead of lumped together with the other audit?
>
> If the latter is the case, there are ways of doing this now depending on
> your intent.

Supposing the remote system is an SElinux machine (a machine which stores
all the user activity send by audisp-remote plugins. There are more then
one machine for which I want to store events) what should I do on this
machine to keep separate file events for each machine

> Also this is an area Steve has discussed may be open for modification.
> The auditd on the aggregating side may be able to separate data based on
> other criteria per user feedback.
>
> LCB.
>
> --
> LC (Lenny) Bruzenak
> lenny@magitekltd.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

Re: audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 11:53:19 Loredan Stancu wrote:
> Supposing the remote system is an SElinux machine (a machine which stores
> all the user activity send by audisp-remote plugins. There are more then
> one machine for which I want to store events) what should I do on this
> machine to keep separate file events for each machine

The current design of the audit system is to aggregate all logs in a unifield 
format. Ausearch and report are node aware and can separate records based on 
the originating node. 

ausearch --start today --node 192.168.1.1

This of course assumes that you took the step of selecting a node name in 
/etc/audisp/audispd.conf. :)

-Steve

Re: audisp-prelude problems

[LC Bruzenak]

On Wed, 2008-12-03 at 18:53 +0200, Loredan Stancu wrote:
> > On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
> >
...
> Supposing the remote system is an SElinux machine (a machine which stores
> all the user activity send by audisp-remote plugins. There are more then
> one machine for which I want to store events) what should I do on this
> machine to keep separate file events for each machine

A couple of different ways to do this:

1: Leave the events in the original log but create new duplicates
- periodically parse using ausearch and filter the output on "node" to
different file (now)
- use the auparse library on logfiles - see audit-1.7.9/auparse/test/
for examples (custom)
- also possibly use the af_unix plugin as per setroubleshoot for event
access (custom)
- write a patch for a new audisp plugin (custom)

2: MY favorite: ask Steve how to make the aggregating side flexible in
this regard. We may need a BZ filed or a consensus about what is
important on this list. I also would like a separation based on time to
allow for an easier archive/restore capability...and maybe that built in
if possible! 
:)
Separation based on node is also a potential "good thing". 
Anyway, the point is if there was a official audit modification to
enable this, the data would not be duplicated as it would above.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 12:17:46 LC Bruzenak wrote:
> MY favorite: ask Steve how to make the aggregating side flexible in
> this regard.

Why did I know this was coming?  :)


> We may need a BZ filed or a consensus about what is important on this list. I
> also would like a separation based on time to allow for an easier
> archive/restore capability

There is a cron script shipped but not installed that can do the right thing.


> ...and maybe that built in if possible! Separation based on node is also a
> potential "good thing".

The main poblem is that once its separated, ausearch/report don't know how to 
put it back together again. The current algorithm is a simple number index and 
ausearch, aureport, and even auparse knows how to find the files in the right 
order to make sense of it.

-Steve

Re: audisp-prelude problems

[Loredan Stancu]

>
> On Wed, 2008-12-03 at 08:46 -0500, Steve Grubb wrote:
>>
>> > Another question is how I can use audisp-remote to send events
>> somewhere
>> > remote?
>>
>> Assuming you are using Fedora, to set this up on client machines, you
>> will need to install the audispd-plugins package. Then you need to set
>> the remote_server and port in the /etc/audisp/audisp-remote.conf
>> file.
>
> (trivial) also set:
> active = yes
> in /etc/audisp/plugins.d/au-remote.conf
>
> and see "TIPS" in audisp-remote(8) man page

I know how to activate the audisp-plugin, what I asked is how can I use it.

What I need is an example of an application which can stay on the remote
host, listen for incoming events send by audisp-remote plugin and store
these events in a regular file.


,
Loredan

Re: audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 10:28:38 Loredan Stancu wrote:
> I know how to activate the audisp-plugin, what I asked is how can I use it.
>
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.

The audit daemon does that. The second part of the setup is to configure the 
log aggregator to receieve events from the client system.

-Steve

audisp-prelude problems

[Loredan Stancu]

Hi,

I'm testing version 1.7.9 of audit using audisp-prelude plugin and I have
some problems:

1. audisp-prelude plugin is not generating events when a user is logged in.
2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
3. No events are generate for watched files/exec/mk_exe  if no tow -k
options are specified in the rule. One of the -k options should contain
'-k ids-type-severity' and another -k may contain anything. If you specify
only one -k options no events are generated.

Another question is how I can use audisp-remote to send events somewhere
remote?

Thx,
Loredan Stancu

Re: audisp-prelude problems

[Steve Grubb]

On Wednesday 03 December 2008 05:23:28 Loredan Stancu wrote:
> I'm testing version 1.7.9 of audit using audisp-prelude plugin and I have
> some problems:

Might also be helpful to know which distribution and release, IOW Fedora 10?


> 1. audisp-prelude plugin is not generating events when a user is logged in.

Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
Without that, you won't see anything.


> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager

For which event? The loginuid is mostly what I concentrated on since that 
tells you how they got into the machine.


> 3. No events are generate for watched files/exec/mk_exe  if no tow -k
> options are specified in the rule. One of the -k options should contain
> '-k ids-type-severity' and another -k may contain anything. If you specify
> only one -k options no events are generated.

You need 2 rules to cover this:

auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F filetype=file 
  -k ids-mkexe-hi
auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111' 
  -F filetype=file -k ids-mkexe-hi

It works fine on my system. Also note that it depends on having a recent 
kernel.


> Another question is how I can use audisp-remote to send events somewhere
> remote?

Assuming you are using Fedora, to set this up on client machines, you will 
need to install the audispd-plugins package. Then you need to set the 
remote_server and port in the /etc/audisp/audisp-remote.conf file. 

The server that aggregates the logs does not need the plugins package 
installed. It should have the tcp_listen_port set to the same port as the 
clients in the  /etc/audit/auditd.conf file. Then semanage needs to have the 
same port in its database since the audit daemon is protected by SE Linux. 
Assuming that you wanted the audit daemon listening on port 1000, you would 
run:

semanage port -a -t audit_port_t -p tcp 1000.

The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to 
allow the machines or subnets that the daemon should allow connections from.

-Steve

Re: audisp-prelude problems

[LC Bruzenak]

On Wed, 2008-12-03 at 08:46 -0500, Steve Grubb wrote:
> 
> > Another question is how I can use audisp-remote to send events
> somewhere
> > remote?
> 
> Assuming you are using Fedora, to set this up on client machines, you
> will need to install the audispd-plugins package. Then you need to set
> the remote_server and port in the /etc/audisp/audisp-remote.conf
> file. 

(trivial) also set:
active = yes
in /etc/audisp/plugins.d/au-remote.conf

and see "TIPS" in audisp-remote(8) man page

LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com