From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: audisp-prelude problems
Date: Wed, 3 Dec 2008 08:46:41 -0500 [thread overview]
Message-ID: <200812030846.42362.sgrubb@redhat.com> (raw)
In-Reply-To: <37996.193.230.245.33.1228299808.squirrel@secure.myclar.ro>
On Wednesday 03 December 2008 05:23:28 Loredan Stancu wrote:
> I'm testing version 1.7.9 of audit using audisp-prelude plugin and I have
> some problems:
Might also be helpful to know which distribution and release, IOW Fedora 10?
> 1. audisp-prelude plugin is not generating events when a user is logged in.
Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
Without that, you won't see anything.
> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
For which event? The loginuid is mostly what I concentrated on since that
tells you how they got into the machine.
> 3. No events are generate for watched files/exec/mk_exe if no tow -k
> options are specified in the rule. One of the -k options should contain
> '-k ids-type-severity' and another -k may contain anything. If you specify
> only one -k options no events are generated.
You need 2 rules to cover this:
auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F filetype=file
-k ids-mkexe-hi
auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111'
-F filetype=file -k ids-mkexe-hi
It works fine on my system. Also note that it depends on having a recent
kernel.
> Another question is how I can use audisp-remote to send events somewhere
> remote?
Assuming you are using Fedora, to set this up on client machines, you will
need to install the audispd-plugins package. Then you need to set the
remote_server and port in the /etc/audisp/audisp-remote.conf file.
The server that aggregates the logs does not need the plugins package
installed. It should have the tcp_listen_port set to the same port as the
clients in the /etc/audit/auditd.conf file. Then semanage needs to have the
same port in its database since the audit daemon is protected by SE Linux.
Assuming that you wanted the audit daemon listening on port 1000, you would
run:
semanage port -a -t audit_port_t -p tcp 1000.
The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to
allow the machines or subnets that the daemon should allow connections from.
-Steve
next prev parent reply other threads:[~2008-12-03 13:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-03 10:23 audisp-prelude problems Loredan Stancu
2008-12-03 13:46 ` Steve Grubb [this message]
2008-12-03 15:17 ` LC Bruzenak
-- strict thread matches above, loose matches on Subject: below --
2008-12-03 15:28 Loredan Stancu
2008-12-03 16:33 ` Steve Grubb
2008-12-03 16:38 LC Bruzenak
2008-12-03 16:53 Loredan Stancu
2008-12-03 17:02 ` Steve Grubb
2008-12-03 17:17 ` LC Bruzenak
2008-12-03 17:34 ` Steve Grubb
2008-12-03 17:58 Loredan Stancu
2008-12-03 20:22 ` Steve Grubb
2008-12-04 13:10 Loredan Stancu
2008-12-04 13:41 ` Steve Grubb
2008-12-04 14:57 Loredan Stancu
2008-12-04 15:33 ` Steve Grubb
2008-12-04 15:38 Loredan Stancu
2008-12-04 15:56 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200812030846.42362.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox