auditing for RHEL ES4

auditing for RHEL ES4

[Bill Tangren]

I'm running RHEL ES 4 servers, and am having difficulty with aureport. I'm
using audit version 1.0.15-3, the one that comes with the OS. The problem
is that I need daily reports, and it is not doing it. The reports always
cover the entire range of available logs (sometimes gigabytes of data).
The reports can take a LONG time to compile, and it doesn't give me the
daily snapshot I need. I'm thinking of installing the latest tarball and
compiling, as I understand more recent versions of aureport have
implemented time limits. [I've emailed this list before about this.]

My question now is, is it possible to uninstall the prepackaged audit and
audit-lib, and install the latest from source, without seriously hosing my
system?

TIA,


-- 
Bill Tangren
U.S. Naval Observatory

Re: auditing for RHEL ES4

[Kevin Boyce]

[-- Attachment #1.1: Type: text/plain, Size: 991 bytes --]

I would download the source rpms, make your changes, change the version,
and use the "rpm -Uhv" to upgrade existing packages.

Kevin Boyce
Northrop Grumman Corp.


On Fri, 2007-11-16 at 10:54 -0500, Bill Tangren wrote:

> I'm running RHEL ES 4 servers, and am having difficulty with aureport. I'm
> using audit version 1.0.15-3, the one that comes with the OS. The problem
> is that I need daily reports, and it is not doing it. The reports always
> cover the entire range of available logs (sometimes gigabytes of data).
> The reports can take a LONG time to compile, and it doesn't give me the
> daily snapshot I need. I'm thinking of installing the latest tarball and
> compiling, as I understand more recent versions of aureport have
> implemented time limits. [I've emailed this list before about this.]
> 
> My question now is, is it possible to uninstall the prepackaged audit and
> audit-lib, and install the latest from source, without seriously hosing my
> system?
> 
> TIA,
> 
> 

[-- Attachment #1.2: Type: text/html, Size: 1619 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditing for RHEL ES4

[Kevin Boyce]

[-- Attachment #1.1: Type: text/plain, Size: 1269 bytes --]

Oops, don't forget to recompile, and then the "rpm -Uhv"

On Fri, 2007-11-16 at 11:11 -0500, Kevin Boyce wrote:

> I would download the source rpms, make your changes, change the
> version, and use the "rpm -Uhv" to upgrade existing packages.
> 
> Kevin Boyce
> Northrop Grumman Corp.
> 
> 
> On Fri, 2007-11-16 at 10:54 -0500, Bill Tangren wrote: 
> 
> > I'm running RHEL ES 4 servers, and am having difficulty with aureport. I'm
> > using audit version 1.0.15-3, the one that comes with the OS. The problem
> > is that I need daily reports, and it is not doing it. The reports always
> > cover the entire range of available logs (sometimes gigabytes of data).
> > The reports can take a LONG time to compile, and it doesn't give me the
> > daily snapshot I need. I'm thinking of installing the latest tarball and
> > compiling, as I understand more recent versions of aureport have
> > implemented time limits. [I've emailed this list before about this.]
> > 
> > My question now is, is it possible to uninstall the prepackaged audit and
> > audit-lib, and install the latest from source, without seriously hosing my
> > system?
> > 
> > TIA,
> > 
> > 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 2285 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditing for RHEL ES4

[Bill Tangren]

On DATE, the author spaketh: Kevin Boyce
> Oops, don't forget to recompile, and then the "rpm -Uhv"
>
> On Fri, 2007-11-16 at 11:11 -0500, Kevin Boyce wrote:
>
>> I would download the source rpms, make your changes, change the
>> version, and use the "rpm -Uhv" to upgrade existing packages.
>>
>> Kevin Boyce
>> Northrop Grumman Corp.

Which sources? The source for the code I'm using now, or the latest
tarball? And which changes? And where do I get the latest tarball? I did
some googling, but didn't find anything that was obviously what I should
use.


>>
>>
>> On Fri, 2007-11-16 at 10:54 -0500, Bill Tangren wrote:
>>
>> > I'm running RHEL ES 4 servers, and am having difficulty with aureport.
>> I'm
>> > using audit version 1.0.15-3, the one that comes with the OS. The
>> problem
>> > is that I need daily reports, and it is not doing it. The reports
>> always
>> > cover the entire range of available logs (sometimes gigabytes of
>> data).
>> > The reports can take a LONG time to compile, and it doesn't give me
>> the
>> > daily snapshot I need. I'm thinking of installing the latest tarball
>> and
>> > compiling, as I understand more recent versions of aureport have
>> > implemented time limits. [I've emailed this list before about this.]
>> >
>> > My question now is, is it possible to uninstall the prepackaged audit
>> and
>> > audit-lib, and install the latest from source, without seriously
>> hosing my
>> > system?
>> >
>> > TIA,
>> >
>> >
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>


-- 
Bill Tangren
U.S. Naval Observatory

Re: auditing for RHEL ES4

[Steve Grubb]

On Friday 16 November 2007 10:54:40 Bill Tangren wrote:
> The reports always cover the entire range of available logs (sometimes
> gigabytes of data). The reports can take a LONG time to compile, and it
> doesn't give me the daily snapshot I need.

Use the -ts and -te commandline options to limit the report range. It requires 
the date format to be correct for your locale - iow   date "+%x %T". The 
older version does not support words like today or yesterday.


> I'm thinking of installing the latest tarball and compiling, as I understand
> more recent versions of aureport have implemented time limits.

The older one does, too.


> My question now is, is it possible to uninstall the prepackaged audit and
> audit-lib, and install the latest from source, without seriously hosing my
> system?

No, it will not work. RHEL4 (and derivatives) has to use the 1.0.X series of 
audit packages.

-Steve

Re: auditing for RHEL ES4

[Bill Tangren]

On DATE, the author spaketh: Steve Grubb
> On Friday 16 November 2007 10:54:40 Bill Tangren wrote:
>> The reports always cover the entire range of available logs (sometimes
>> gigabytes of data). The reports can take a LONG time to compile, and it
>> doesn't give me the daily snapshot I need.
>
> Use the -ts and -te commandline options to limit the report range. It
> requires
> the date format to be correct for your locale - iow   date "+%x %T". The
> older version does not support words like today or yesterday.
>

I see. So I misunderstood what you said when I asked about this before.

Thanks, Steve!

>
>> I'm thinking of installing the latest tarball and compiling, as I
>> understand
>> more recent versions of aureport have implemented time limits.
>
> The older one does, too.
>
>
>> My question now is, is it possible to uninstall the prepackaged audit
>> and
>> audit-lib, and install the latest from source, without seriously hosing
>> my
>> system?
>
> No, it will not work. RHEL4 (and derivatives) has to use the 1.0.X series
> of
> audit packages.
>
> -Steve
>


-- 
Bill Tangren
U.S. Naval Observatory

Re: auditing for RHEL ES4

[Bill Tangren]

> On Friday 16 November 2007 10:54:40 Bill Tangren wrote:
>> The reports always cover the entire range of available logs (sometimes
>> gigabytes of data). The reports can take a LONG time to compile, and it
>> doesn't give me the daily snapshot I need.
>
> Use the -ts and -te commandline options to limit the report range. It
> requires
> the date format to be correct for your locale - iow   date "+%x %T". The
> older version does not support words like today or yesterday.
>
>

I now have time to work on this. I did this for an example:

[root@www ~]# aureport -ts `date "+%x 16:00:00"`

Summary Report
======================
Range of time: 12/12/2007 00:33:26.629 - 12/26/2007 16:08:11.825
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 2
Number of terminals: 1
Number of host names: 1
Number of executables: 8
Number of files: 11
Number of AVC denials: 0
Number of failed syscalls: 10
Number of watched file events: 36
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 14
Number of events: 65

[root@www ~]# aureport -ts `date "+%x 00:00:00"`

Summary Report
======================
Range of time: 12/12/2007 00:33:26.629 - 12/26/2007 16:08:26.817
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 1
Number of failed logins: 0
Number of users: 2
Number of terminals: 3
Number of host names: 2
Number of executables: 54
Number of files: 225
Number of AVC denials: 0
Number of failed syscalls: 834
Number of watched file events: 1550
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 651
Number of events: 3388

[root@www ~]#

Notice that the range times are the same for both examples, but the other
results are different. Is there a problem with the range times?

-- 

Bill Tangren
U.S. Naval Observatory

Re: auditing for RHEL ES4

[Steve Grubb]

On Wednesday 26 December 2007 16:15:16 Bill Tangren wrote:
> Notice that the range times are the same for both examples, but the other
> results are different. Is there a problem with the range times?

No, this was amended in later versions of aureport to state that this is the 
range of time held in the logs and also added a line showing the range of 
time selected for the report.

-Steve

Re: auditing for RHEL ES4

[Bill Tangren]

> On Wednesday 26 December 2007 16:15:16 Bill Tangren wrote:
>> Notice that the range times are the same for both examples, but the
>> other
>> results are different. Is there a problem with the range times?
>
> No, this was amended in later versions of aureport to state that this is
> the
> range of time held in the logs and also added a line showing the range of
> time selected for the report.
>
> -Steve
>

Thanks, Steve.


-- 

Bill Tangren
U.S. Naval Observatory