From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: AUDIT changes - true sense of security
Date: Fri, 18 Mar 2016 09:55:57 -0400
Message-ID: <2847728.hyf82qzeWv@x2>
References: <BY1PR09MB088799C76DC1A164BEF95168C78C0@BY1PR09MB0887.namprd09.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <BY1PR09MB088799C76DC1A164BEF95168C78C0@BY1PR09MB0887.namprd09.prod.outlook.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to properly
> address/assess it.
> 
> I have been given guidance in support of auditing on CentOS-6.x systems:
> 
> 1.       To place various watch (-w) and action (-a) rules into place.
> 
> 2.       Make certain the configurations are immutable.
> 
> Sometimes I have to add more rules, so I do that.   However, I am not
> certain if the rules are working properly, and I do know that I have broken
> the auditd init-scripts on my systems a few times, and just commented out
> the offending audit controls to work around/fix this very type of problem.

While you are experimenting, do not put in the -e 2 configuration option.
 
> 
> 
> What I need to know is, since the configurations have to be immutable ( with
> the -e 2) how can I properly start the audit service, and without any
> inkling of a doubt be certain that the rules are in place and are
> functioning properly?

There is a rule listing command, -l, that will dump what the kernel has 
loaded. There is also a status command, -s, that will tell you if audit is 
enabled. If the rules are loaded and audit is enabled, its working.


> Also, being a total novice, how can I test/trigger audit log actions on
> watch and action rules to see that the rules are configured properly?

If its a watch, then accessing the file and running ausearch should do it. If 
you have a syscall rule, then you have to trigger the syscall either by using 
a program or creating one.


> Finally, is there a tool that will do a sanity check on the audit.rules file? 

auditctl reports any problems that it sees with the rules.


> Or is the only option to attempt to restart the auditd service, and think
> "It started, it worked!" is acceptable?

List the rules and status the audit subsystem.

-Steve