From mboxrd@z Thu Jan 1 00:00:00 1970 From: Warron S French Subject: AUDIT changes - true sense of security Date: Fri, 18 Mar 2016 13:14:31 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3512514321216927527==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u2IDEb4Z005271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 18 Mar 2016 09:14:37 -0400 Received: from email5-west.aero.org (email5-west.aero.org [130.221.16.30]) by mx1.redhat.com (Postfix) with ESMTPS id 47CED8E363 for ; Fri, 18 Mar 2016 13:14:36 +0000 (UTC) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Linux-Audit@redhat.com" List-Id: linux-audit@redhat.com --===============3512514321216927527== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BY1PR09MB088799C76DC1A164BEF95168C78C0BY1PR09MB0887namp_" --_000_BY1PR09MB088799C76DC1A164BEF95168C78C0BY1PR09MB0887namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all, I do work that requires me to configure auditing on my syst= ems. I am a relative novice to the audit configurations in most operating = systems. I have an issue, I believe, and I am asking for help on how to properly add= ress/assess it. I have been given guidance in support of auditing on CentOS-6.x systems: 1. To place various watch (-w) and action (-a) rules into place. 2. Make certain the configurations are immutable. Sometimes I have to add more rules, so I do that. However, I am not certa= in if the rules are working properly, and I do know that I have broken the = auditd init-scripts on my systems a few times, and just commented out the o= ffending audit controls to work around/fix this very type of problem. What I need to know is, since the configurations have to be immutable ( wit= h the -e 2) how can I properly start the audit service, and without any ink= ling of a doubt be certain that the rules are in place and are functioning = properly? Also, being a total novice, how can I test/trigger audit log actions on wat= ch and action rules to see that the rules are configured properly? Finally, is there a tool that will do a sanity check on the audit.rules fil= e? Or is the only option to attempt to restart the auditd service, and thi= nk "It started, it worked!" is acceptable? I just don't want a false sense of security, I also don't want a nagging se= nse of paranoia. Thank you, Warron French, MBA, SCSA The Aerospace Corporation --_000_BY1PR09MB088799C76DC1A164BEF95168C78C0BY1PR09MB0887namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello all,

&nbs= p; I do work that requires me to config= ure auditing on my systems. I am a relative novice to the audit confi= gurations in most operating systems.

I have an issue, I believe, and I am asking for help= on how to properly address/assess it.

I have been given guidance in support of auditing on= CentOS-6.x systems:

1. To place various watch (-w) and action (-a) rules i= nto place.

2. Make certain the configurations are immutable.=

Sometimes I have to add more rules, so I do that.&nb= sp; However, I am not certain if the rules are working properly, and = I do know that I have broken the auditd init-scripts on my systems a few ti= mes, and just commented out the offending audit controls to work around/fix this very type of problem.

What I need to know is, since the configurations hav= e to be immutable ( with the –e 2) how can I properly start the audit= service, and without any inkling of a doubt be certain that the rules are = in place and are functioning properly?

Also, being a total novice, how can I test/trigger a= udit log actions on watch and action rules to see that the rules are configured p= roperly?

Finally, is there a tool that will do a sanity check= on the audit.rules file? Or is the only option to attempt to restart= the auditd service, and think “It started, it worked!&= #8221; is acceptable?

I just don’t want a false sense of security, I= also don’t want a nagging sense of paranoia.

Thank you,

Warron French, MBA, SCSA

The Aerospace Corporatio= n

--_000_BY1PR09MB088799C76DC1A164BEF95168C78C0BY1PR09MB0887namp_-- --===============3512514321216927527== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3512514321216927527==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: AUDIT changes - true sense of security Date: Fri, 18 Mar 2016 09:55:57 -0400 Message-ID: <2847728.hyf82qzeWv@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, March 18, 2016 01:14:31 PM Warron S French wrote: > I have an issue, I believe, and I am asking for help on how to properly > address/assess it. > > I have been given guidance in support of auditing on CentOS-6.x systems: > > 1. To place various watch (-w) and action (-a) rules into place. > > 2. Make certain the configurations are immutable. > > Sometimes I have to add more rules, so I do that. However, I am not > certain if the rules are working properly, and I do know that I have broken > the auditd init-scripts on my systems a few times, and just commented out > the offending audit controls to work around/fix this very type of problem. While you are experimenting, do not put in the -e 2 configuration option. > > > What I need to know is, since the configurations have to be immutable ( with > the -e 2) how can I properly start the audit service, and without any > inkling of a doubt be certain that the rules are in place and are > functioning properly? There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working. > Also, being a total novice, how can I test/trigger audit log actions on > watch and action rules to see that the rules are configured properly? If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one. > Finally, is there a tool that will do a sanity check on the audit.rules file? auditctl reports any problems that it sees with the rules. > Or is the only option to attempt to restart the auditd service, and think > "It started, it worked!" is acceptable? List the rules and status the audit subsystem. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Warron S French Subject: RE: AUDIT changes - true sense of security Date: Fri, 18 Mar 2016 15:45:20 +0000 Message-ID: References: <2847728.hyf82qzeWv@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2847728.hyf82qzeWv@x2> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Hello sir, The command with the '-l' argument, is that auditctl? The command with the '-s' argument... what is that one called, auditd? Thanks for replying so quickly, sorry for being a nag. Warron French, MBA, SCSA The Aerospace Corporation -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Friday, March 18, 2016 9:56 AM To: linux-audit@redhat.com Cc: Warron S French Subject: Re: AUDIT changes - true sense of security On Friday, March 18, 2016 01:14:31 PM Warron S French wrote: > I have an issue, I believe, and I am asking for help on how to > properly address/assess it. > > I have been given guidance in support of auditing on CentOS-6.x systems: > > 1. To place various watch (-w) and action (-a) rules into place. > > 2. Make certain the configurations are immutable. > > Sometimes I have to add more rules, so I do that. However, I am not > certain if the rules are working properly, and I do know that I have > broken the auditd init-scripts on my systems a few times, and just > commented out the offending audit controls to work around/fix this very type of problem. While you are experimenting, do not put in the -e 2 configuration option. > > > What I need to know is, since the configurations have to be immutable > ( with the -e 2) how can I properly start the audit service, and > without any inkling of a doubt be certain that the rules are in place > and are functioning properly? There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working. > Also, being a total novice, how can I test/trigger audit log actions > on watch and action rules to see that the rules are configured properly? If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one. > Finally, is there a tool that will do a sanity check on the audit.rules file? auditctl reports any problems that it sees with the rules. > Or is the only option to attempt to restart the auditd service, and > think "It started, it worked!" is acceptable? List the rules and status the audit subsystem. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: AUDIT changes - true sense of security Date: Fri, 18 Mar 2016 11:46:49 -0400 Message-ID: <3237549.65a39n60nT@x2> References: <2847728.hyf82qzeWv@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Warron S French Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Friday, March 18, 2016 03:45:20 PM Warron S French wrote: > Hello sir, > The command with the '-l' argument, is that auditctl? > The command with the '-s' argument... what is that one called, auditd? These are both auditctl commands. The other command that you will need to read up on is ausearch which is used to examine the resulting logs. -Steve > Thanks for replying so quickly, sorry for being a nag. > > Warron French, MBA, SCSA > The Aerospace Corporation > > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Friday, March 18, 2016 9:56 AM > To: linux-audit@redhat.com > Cc: Warron S French > Subject: Re: AUDIT changes - true sense of security > > On Friday, March 18, 2016 01:14:31 PM Warron S French wrote: > > I have an issue, I believe, and I am asking for help on how to > > properly address/assess it. > > > > I have been given guidance in support of auditing on CentOS-6.x systems: > > > > 1. To place various watch (-w) and action (-a) rules into place. > > > > 2. Make certain the configurations are immutable. > > > > Sometimes I have to add more rules, so I do that. However, I am not > > certain if the rules are working properly, and I do know that I have > > broken the auditd init-scripts on my systems a few times, and just > > commented out the offending audit controls to work around/fix this very > > type of problem. > While you are experimenting, do not put in the -e 2 configuration option. > > > What I need to know is, since the configurations have to be immutable > > ( with the -e 2) how can I properly start the audit service, and > > without any inkling of a doubt be certain that the rules are in place > > and are functioning properly? > > There is a rule listing command, -l, that will dump what the kernel has > loaded. There is also a status command, -s, that will tell you if audit is > enabled. If the rules are loaded and audit is enabled, its working. > > Also, being a total novice, how can I test/trigger audit log actions > > on watch and action rules to see that the rules are configured properly? > > If its a watch, then accessing the file and running ausearch should do it. > If you have a syscall rule, then you have to trigger the syscall either by > using a program or creating one. > > Finally, is there a tool that will do a sanity check on the audit.rules > > file? > auditctl reports any problems that it sees with the rules. > > > Or is the only option to attempt to restart the auditd service, and > > think "It started, it worked!" is acceptable? > > List the rules and status the audit subsystem. > > -Steve