From: Steve Grubb <sgrubb@redhat.com>
To: Warron S French <warron.s.french@aero.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 11:45:06 -0400 [thread overview]
Message-ID: <3294586.6i81xjxGkV@x2> (raw)
In-Reply-To: <BY1PR09MB088709DF1304A0853C895960C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
On Tuesday, May 10, 2016 03:25:36 PM Warron S French wrote:
> > The lab works as expected, but my production environment does not. %-/
>
> I would start by checking that events are coming out of the remote systems.
> You can use tcpdump port 60 on the clients. After confirming that, do the
> same on the server to see if events are getting there. Then look in syslog
> for anything that might give a clue. And then you can also tail -f
> /var/log/audit/audit.log to see if things are getting written to disk.
>
> \\ Steve, I know that I am receiving inputs to the server; because I can see
> events that I am purposely triggering based on 2 rules that I added and
> know how to cause an event; it is just that the node=client1 (for example)
> aren't being sent along with the line being recorded. Does this
> troubleshooting step still make sense anyway?
No. If you are getting events at the server and audispd.conf has name_format=
hostname, it should be working.
If this was set after the audit daemon on the clients started, then you need
to restart the audit daemon for the name to take effect. As written, it
collects the name one time at start up and uses it in all future events. This
could be changed but that is how its doing today.
If you restart auditd on a non-systemd OS, this will cause the admin's auid to
get stuck into the audit daemon's task structure and will cause problems. So,
the cleanest thing to do is reboot the work station so that audispd has the
hostname and your auid is not in daemons.
-Steve
next prev parent reply other threads:[~2016-05-10 15:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-10 12:31 audit-tools and SUDO Warron S French
2016-05-10 12:52 ` Burn Alting
2016-05-10 13:07 ` Warron S French
2016-05-10 13:25 ` Steve Grubb
2016-05-10 13:44 ` Warron S French
2016-05-10 14:31 ` Steve Grubb
2016-05-10 15:25 ` Warron S French
2016-05-10 15:45 ` Steve Grubb [this message]
2016-05-10 17:46 ` Warron S French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3294586.6i81xjxGkV@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=warron.s.french@aero.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox