Re: AUDIT changes - true sense of security

[Steve Grubb <sgrubb@redhat.com>]

On Friday, March 18, 2016 03:45:20 PM Warron S French wrote:
> Hello sir,
> The command with the '-l' argument, is that auditctl?
> The command with the '-s' argument... what is that one called, auditd?

These are both auditctl commands. The other command that you will need to read 
up on is ausearch which is used to examine the resulting logs.

-Steve


> Thanks for replying so quickly, sorry for being a nag.
> 
> Warron French, MBA, SCSA
> The Aerospace Corporation
> 
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Friday, March 18, 2016 9:56 AM
> To: linux-audit@redhat.com
> Cc: Warron S French <warron.s.french@aero.org>
> Subject: Re: AUDIT changes - true sense of security
> 
> On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> > I have an issue, I believe, and I am asking for help on how to
> > properly address/assess it.
> > 
> > I have been given guidance in support of auditing on CentOS-6.x systems:
> > 
> > 1.       To place various watch (-w) and action (-a) rules into place.
> > 
> > 2.       Make certain the configurations are immutable.
> > 
> > Sometimes I have to add more rules, so I do that.   However, I am not
> > certain if the rules are working properly, and I do know that I have
> > broken the auditd init-scripts on my systems a few times, and just
> > commented out the offending audit controls to work around/fix this very
> > type of problem.
> While you are experimenting, do not put in the -e 2 configuration option.
> 
> > What I need to know is, since the configurations have to be immutable
> > ( with the -e 2) how can I properly start the audit service, and
> > without any inkling of a doubt be certain that the rules are in place
> > and are functioning properly?
> 
> There is a rule listing command, -l, that will dump what the kernel has
> loaded. There is also a status command, -s, that will tell you if audit is
> enabled. If the rules are loaded and audit is enabled, its working.
> > Also, being a total novice, how can I test/trigger audit log actions
> > on watch and action rules to see that the rules are configured properly?
> 
> If its a watch, then accessing the file and running ausearch should do it.
> If you have a syscall rule, then you have to trigger the syscall either by
> using a program or creating one.
> > Finally, is there a tool that will do a sanity check on the audit.rules
> > file?
> auditctl reports any problems that it sees with the rules.
> 
> > Or is the only option to attempt to restart the auditd service, and
> > think "It started, it worked!" is acceptable?
> 
> List the rules and status the audit subsystem.
> 
> -Steve