From mboxrd@z Thu Jan 1 00:00:00 1970 From: Margaret M Sanders Subject: VERY basic question Date: Mon, 10 Feb 2014 19:20:37 +0000 Message-ID: <2AAF61416E46C443A2E009DC0ECCF02C0560DA@swri16exbe1.electro.swri.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3580556801603760618==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s1AJKgOk004354 for ; Mon, 10 Feb 2014 14:20:42 -0500 Received: from esg260-1.itc.swri.edu (esg260-1.itc.swri.edu [129.162.252.40]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1AJKerM030207 for ; Mon, 10 Feb 2014 14:20:40 -0500 Received: from exchmail.swri.org (casht256-1.adm.swri.edu [129.162.243.120]) by esg260-1.itc.swri.edu (8.14.5/8.14.5) with ESMTP id s1AJKdBG007333 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Mon, 10 Feb 2014 13:20:39 -0600 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3580556801603760618== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_2AAF61416E46C443A2E009DC0ECCF02C0560DAswri16exbe1electr_" --_000_2AAF61416E46C443A2E009DC0ECCF02C0560DAswri16exbe1electr_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all. I 've been lurking around, listening for things I can use...but I'm= not where you guys are at in terms of auditing. I still have a requiremen= t, however. So, help me to understand a very basic functioning of Linux (I imagine its = basic). In a standalone system: How in the world do I capture, create and save human readable reports and t= hen clear audit logs. Which BASIC /var/log should every accidental sysad (like myself) be capturi= ng? I know where to put the audit rules, but at this point, I'm just sort of fo= llowing instructions for that without any real sense of understanding. The= farthest I've gotten is -w means watch. If you guys would take a moment to ask such a rudimentary question, I might= be able to move past go. Thank you for your time. Margaret M. Sanders SwRI ISSO/ATA --_000_2AAF61416E46C443A2E009DC0ECCF02C0560DAswri16exbe1electr_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all. I ‘ve been lurking around, listening f= or things I can use…but I’m not where you guys are at in terms = of auditing.  I still have a requirement, however. 

 

So, help me to understand a very basic functioning o= f Linux (I imagine its basic). 

 

In a standalone system:

 

How in the world do I capture, create and save human= readable reports and then clear audit logs. 

 

Which BASIC /var/log should every accidental sysad (= like myself) be capturing?

 

I know where to put the audit rules, but at this poi= nt, I’m just sort of following instructions for that without any real= sense of understanding.  The farthest I’ve gotten is –w m= eans watch.

 

If you guys would take a moment to ask such a rudime= ntary question, I might be able to move past go.

 

Thank you for your time.

 

Margaret M. Sanders

SwRI ISSO/ATA

 

--_000_2AAF61416E46C443A2E009DC0ECCF02C0560DAswri16exbe1electr_-- --===============3580556801603760618== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3580556801603760618==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: VERY basic question Date: Tue, 11 Feb 2014 08:57:07 -0500 Message-ID: <22099555.MmjXLMlauy@x2> References: <2AAF61416E46C443A2E009DC0ECCF02C0560DA@swri16exbe1.electro.swri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2AAF61416E46C443A2E009DC0ECCF02C0560DA@swri16exbe1.electro.swri.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Margaret M Sanders List-Id: linux-audit@redhat.com On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote: > In a standalone system: > > How in the world do I capture, create and save human readable reports and > then clear audit logs. aureport is a good starting point. As for what you want out of it...that would depend on your security policy and threat model. For example, I put key labels on all rules. So, the main thing I want to see is the key summary report so that I have a general idea of what is going on with the system. Based on that, I then look closer at events with certain keys. For others, its different. I have seen in the past perl scripts that run several aureport commands and formats it into a report. But there really isn't a consensus on what a standard report would be. > Which BASIC /var/log should every accidental sysad (like myself) be > capturing? > > I know where to put the audit rules, but at this point, I'm just sort of > following instructions for that without any real sense of understanding. > The farthest I've gotten is -w means watch. > > If you guys would take a moment to ask such a rudimentary question, I might > be able to move past go. The audit.rules man page has some tips and pointers for rules and investigations. There is also some documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html and other distributions have documentation you can look at as well. Try "linux audit documentation" as a search to find more. -Steve