From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Remote audit clients on RHEL 5.2 Date: Thu, 12 Feb 2009 12:01:33 -0500 Message-ID: <499455ED.3060208@groupw.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0757075610==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CH1oXv018307 for ; Thu, 12 Feb 2009 12:01:50 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CH1Y9h022481 for ; Thu, 12 Feb 2009 12:01:35 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id BFA9CDA009F for ; Thu, 12 Feb 2009 12:01:33 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 71E29DA0094 for ; Thu, 12 Feb 2009 12:01:33 -0500 (EST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0757075610== Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Greetings,

I have a 64 bit EL 5.2 system that I have built and installed all of the necessary packages for the latest audit (1.7.11-1), prelude and prewikka. (Does anyone need any binary RPM packages?).

This all seems to be working fine on the central cluster server and now I'm trying to set up clients in the cluster nodes to report their audit information to the server. I've found the RHEL 5.3 release notes where it says:

In addition to the listed enhancements, these updated audit packages also include a new feature to allow a server to aggregate the logs of remote systems. The following instructions can be followed to enable this feature:
The audispd-plugins package should be installed on all clients (but need not be installed on the server), and the parameters for "remote_server" and "port" should be set in the /etc/audisp/audisp-remote.conf configuration file.

On the server, which aggregates the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf file must be set to the same port number as the clients.
Because the auditd daemon is protected by SELinux, semanage (the SELinux policy management tool) must also have the same port listed in its database. If the server and client machines had all been configured to use port 1000, for example, then running this command would accomplish this:
semanage port -a -t audit_port_t -p tcp 1000
      
The final step in configuring remote log aggregation is to edit the /etc/hosts.allow configuration file to inform tcp_wrappers which machines or subnets the auditd daemon should allow connections from.

I'm on the step where I'm trying to run the semanage command to let selinux know that port 60 (in my case) is acceptable for audit to use but I get the following error message when I run the command:

# semanage port -a -t audit_port_t -p tcp 60 libsepol.context_from_record: type audit_port_t is not defined libsepol.context_from_record: could not create context structure libsepol.port_from_record: could not create port structure for range 60:60 (tcp) libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp) libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add port tcp/60

I'm not much of a wiz at selinux, but I can tell that the audit_port_t type doesn't exist. I'm stuck here because:

1) I don;t know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use that.

I've looked at the auditd executable, it has types like this:
-rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd

Could someone give me some pointers and/or point me to something I could read to get me going?

Thanks

Dan

--
Dan Gruhn, Group W Inc.

--===============0757075610== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0757075610==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Remote audit clients on RHEL 5.2 Date: Thu, 12 Feb 2009 12:43:03 -0500 Message-ID: <200902121243.03741.sgrubb@redhat.com> References: <499455ED.3060208@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <499455ED.3060208@groupw.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote: > I'm not much of a wiz at selinux, but I can tell that the audit_port_t = type > doesn't exist.=C2=A0 I'm stuck here because: > > 1) I don;t know how to create new types in selinux > 2) Even if I figured that out, I don't know how auditd would know to u= se > that. > > I've looked at the auditd executable, it has types like this: > -rwxr-x---=C2=A0 root root system_u:object_r:auditd_exec_t=C2=A0 /sbin= /auditd > > Could someone give me some pointers and/or point me to something I cou= ld > read to get me going? You need to be using the SE Linux policy from the 5.3 update. Before 5.3,= =20 auditd never had a listening port and therefore selinux policy prior to i= t=20 wouldn't have setup that type. I also think SE Linux policy may default t= o=20 port 60 even though that port may not be guaranteed in the future. Another thing that you should do on this is to setup the client's localpo= rt to=20 bind to a port below 1024 and then set the server's tcp_client_ports to c= heck=20 that the ports are bound to that range as a security precaution. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Remote audit clients on RHEL 5.2 Date: Thu, 12 Feb 2009 12:48:47 -0500 Message-ID: <499460FF.3050400@groupw.com> References: <499455ED.3060208@groupw.com> <200902121243.03741.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CHn4an016543 for ; Thu, 12 Feb 2009 12:49:04 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CHmmit014330 for ; Thu, 12 Feb 2009 12:48:48 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 6977DDA009F for ; Thu, 12 Feb 2009 12:48:48 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 32F3FDA0094 for ; Thu, 12 Feb 2009 12:48:48 -0500 (EST) In-Reply-To: <200902121243.03741.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve, thanks. My system is a stand-alone in a secure environment so I can't just run a piece of software and get an update, and it is currently locked into 5.2 as we're working to get it approved by various powers. Is there any way to get the SE Linux policy from the 5.3 update as a separate piece? Dan Steve Grubb wrote: > On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote: > >> I'm not much of a wiz at selinux, but I can tell that the audit_port_t type >> doesn't exist. I'm stuck here because: >> >> 1) I don;t know how to create new types in selinux >> 2) Even if I figured that out, I don't know how auditd would know to use >> that. >> >> I've looked at the auditd executable, it has types like this: >> -rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd >> >> Could someone give me some pointers and/or point me to something I could >> read to get me going? >> > > You need to be using the SE Linux policy from the 5.3 update. Before 5.3, > auditd never had a listening port and therefore selinux policy prior to it > wouldn't have setup that type. I also think SE Linux policy may default to > port 60 even though that port may not be guaranteed in the future. > > Another thing that you should do on this is to setup the client's localport to > bind to a port below 1024 and then set the server's tcp_client_ports to check > that the ports are bound to that range as a security precaution. > > -Steve > -- Dan Gruhn Group W Inc. 8315 Lee Hwy, Suite 303 Fairfax, VA, 22031 PH: (703) 752-5831 FX: (703) 752-5851 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Central Audit Server with Prelude and Prewikka - RHEL5 Date: Fri, 13 Feb 2009 15:11:26 -0500 Message-ID: <4995D3EE.3020005@groupw.com> References: <499455ED.3060208@groupw.com> <200902121243.03741.sgrubb@redhat.com> <499460FF.3050400@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1DKBgs7007102 for ; Fri, 13 Feb 2009 15:11:42 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1DKBRsj031453 for ; Fri, 13 Feb 2009 15:11:27 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id B4A0ADA009F for ; Fri, 13 Feb 2009 15:11:26 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 6DA84DA0094 for ; Fri, 13 Feb 2009 15:11:26 -0500 (EST) In-Reply-To: <499460FF.3050400@groupw.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Greetings, I have a 64 bit EL 5.2 system that I have built and installed all of the necessary packages for the latest audit (1.7.11-1), prelude and prewikka. This all seems to be working fine on the central cluster server and I have set up a client in a cluster node to report its audit information to the server. This seems to be working in that I see both the master and the node reporting their information in the master's /var/log/messages and /var/log/audit/audit.log. I still have an issue with SELinux and the port connection, but I'm running in permissive mode for now. I'm using Prelude and Prewikka to view events and I see the master as a sensor/source and its events, but I don't see the node. I thought that once the audit/syslog information was making it to the central files the rest would also work but that doesn't seem to be the case. Steve's "Audit + Prelude HOWTO" has been quite helpful, but it describes putting the client and server all on one machine (which I have working) and I'm just not getting what to change to add another client. I don't have prelude-manager running on the client, but it seems as though I don't need that. Could someone give me a pointer on where to look for the problem? Thanks, Dan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Central Audit Server with Prelude and Prewikka - RHEL5 Date: Fri, 13 Feb 2009 15:27:31 -0500 Message-ID: <200902131527.31766.sgrubb@redhat.com> References: <499455ED.3060208@groupw.com> <499460FF.3050400@groupw.com> <4995D3EE.3020005@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from vpn-12-197.rdu.redhat.com (vpn-12-197.rdu.redhat.com [10.11.12.197]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n1DKRZ6p005649 for ; Fri, 13 Feb 2009 15:27:36 -0500 In-Reply-To: <4995D3EE.3020005@groupw.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 13 February 2009 03:11:26 pm Dan Gruhn wrote: > I'm using Prelude and Prewikka to view events and I see the master as a > sensor/source and its events, but I don't see the node. =C2=A0I thought= that > once the audit/syslog information was making it to the central files th= e > rest would also work but that doesn't seem to be the case. Prelude has its own messaging protocol. It picks things out of its=20 configuration files to fill in various fields in its data packets. So, if= you=20 have the audit-prelude sensor reading aggregated logs, it won't know thes= e=20 are coming from all over the place. To use prelude the way it wants to be setup, you would have the audisp-pr= elude=20 sensor on each machine sending to a central prelude-manager. Let audit se= nd=20 its data to its aggregator and prelude send its own data to its aggregato= r.=20 Yes, there will be duplication...but it will work better. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Central Audit Server with Prelude and Prewikka - RHEL5 Date: Fri, 13 Feb 2009 16:45:38 -0500 Message-ID: <4995EA02.8060200@groupw.com> References: <499455ED.3060208@groupw.com> <499460FF.3050400@groupw.com> <4995D3EE.3020005@groupw.com> <200902131527.31766.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1DLk8Vr029393 for ; Fri, 13 Feb 2009 16:46:08 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id n1DLjeD5016798 for ; Fri, 13 Feb 2009 16:45:41 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id DD1EBDA009F for ; Fri, 13 Feb 2009 16:45:38 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 99C85DA0094 for ; Fri, 13 Feb 2009 16:45:38 -0500 (EST) In-Reply-To: <200902131527.31766.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve, Thanks for the advice. I was wondering about duplicating those information streams and needed the encouragement to go ahead. One thing that did come up, I changed a lot of "localhost" references in the "Audit + Prelude HOWTO" and in the /etc/prelude/default/client.conf files to my actual server name (master) and I also changed a line in /etc/prelude-manager/prelude-manager.conf from listen = 127.0.0.1 to listen = master All of these changes required me to revoke my old prelude-manager registrations under "localhost" and re-register all of the sensors to "master". Perhaps I didn't need all of this but it is all working now (except for my 5.2 SELinux problem). I'm running prelude-lml on the master and I'll be figuring out if I should run it on each node or it will pick up everything from the master's /var/log/messages file. I'm thinking it would be better to keep things separate but I'll be testing. If anyone can tell me if some of those "localhost" changes were not necessary it would be helpful to know for future reference. I could update the "Audit + Prelude HOWTO" with what I've found and send it to back to Steve if that would be useful. Dan Steve Grubb wrote: > On Friday 13 February 2009 03:11:26 pm Dan Gruhn wrote: > >> I'm using Prelude and Prewikka to view events and I see the master as a >> sensor/source and its events, but I don't see the node. I thought that >> once the audit/syslog information was making it to the central files the >> rest would also work but that doesn't seem to be the case. >> > > Prelude has its own messaging protocol. It picks things out of its > configuration files to fill in various fields in its data packets. So, if you > have the audit-prelude sensor reading aggregated logs, it won't know these > are coming from all over the place. > > To use prelude the way it wants to be setup, you would have the audisp-prelude > sensor on each machine sending to a central prelude-manager. Let audit send > its data to its aggregator and prelude send its own data to its aggregator. > Yes, there will be duplication...but it will work better. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -- Dan Gruhn Group W Inc. 8315 Lee Hwy, Suite 303 Fairfax, VA, 22031 PH: (703) 752-5831 FX: (703) 752-5851 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Remote audit clients on RHEL 5.2 Date: Tue, 17 Feb 2009 13:43:08 -0500 Message-ID: <499B053C.3050209@groupw.com> References: <499455ED.3060208@groupw.com> <200902121243.03741.sgrubb@redhat.com> <499460FF.3050400@groupw.com> <200902121338.50329.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1HIhKgT001553 for ; Tue, 17 Feb 2009 13:43:20 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1HIh9gn007529 for ; Tue, 17 Feb 2009 13:43:09 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id C7D3EDA009F for ; Tue, 17 Feb 2009 13:43:08 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 9252ADA0094 for ; Tue, 17 Feb 2009 13:43:08 -0500 (EST) In-Reply-To: <200902121338.50329.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I talked with the folks on the fedora-selinux-list and here is the result of that discussion: The text file (auditd.te) for the proper SELinux policy module is as follows: ----------- module auditd 0.0.3; require { class tcp_socket accept; type auditd_t; attribute reserved_port_type; class tcp_socket { name_bind }; } type audit_port_t; typeattribute audit_port_t reserved_port_type; allow auditd_t audit_port_t:tcp_socket { name_bind }; allow auditd_t self:tcp_socket accept; --------------- Once you have the auditd.te file, you can compile it and check it for any errors: checkmodule -M -m -o auditd.mod auditd.te If you have no errors, you can then package the .mod file: semodule_package -o auditd.pp -m auditd.pp After packaging, insert it into SELinux: semodule -i auditd.pp You should now be able to find the policy module using the system-config-selinux GUI. After all of that, the port can be enable under SELinux as per the RHEL 5.3 release notes: semanage port -a -t audit_port_t -p tcp 60 My systems are now running clean. Thanks for the help. Dan Steve Grubb wrote: > On Thursday 12 February 2009 12:48:47 pm Dan Gruhn wrote: > >> My system is a stand-alone in a secure environment so I can't just run a >> piece of software and get an update, and it is currently locked into 5.2 >> as we're working to get it approved by various powers. Is there any way >> to get the SE Linux policy from the 5.3 update as a separate piece? >> > > I was hoping Dan Walsh would answer...its possible, but I don't know if the > selinux people pull it with a bunch of other changes into the reference > policy or not. You might be able to just get the 5.3 policy and look for the > audit files and transplant them into 5.2 policy and diff against original 52 > policy to make a patch. You might need to ask on the Fedora-selinux mail list > or the NSA selinux policy mail list if no one answers soon. > > -Steve > -- Dan Gruhn Group W Inc. 8315 Lee Hwy, Suite 303 Fairfax, VA, 22031 PH: (703) 752-5831 FX: (703) 752-5851