Re: audit-tools and SUDO

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, burn@swtf.dyndns.org
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 09:25:12 -0400	[thread overview]
Message-ID: <4636570.EUPpVmsaCN@x2> (raw)
In-Reply-To: <1462884741.3439.16.camel@swtf.swtf.dyndns.org>

On Tuesday, May 10, 2016 10:52:21 PM Burn Alting wrote:
> On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote:
> > Good morning everyone,
> > 
> > 
> > 
> > I am working on an environment where I have managed to get centralized
> > audit logging to work – roughly 95% properly on six (6) CentOS-6.7
> > workstations and a single (1) CentOS-6.7 server.
> > 
> > 
> > 
> > I have two problems though; and they seem somewhat minor:
> > 
> > 
> > 
> > 1.      The audit events being captured don’t seem to be tied to any
> > given node (so that I can perform ausearch --node hostName, or
> > aureport), that’s the first issue.
> 
> What have you set the configuration parameter 'name_format'
> in /etc/audit/auditd.conf to?
> 
> One assumes you may want to set
> name_format = fqd
> or
> name_format = hostname
> 
> After the change on each host, don't forget to reload the configuration
> with either a sighup on the auditd process or just restart the service.

This would set it for the local logs. And you would need to do this on the 
server that is aggregating the logs. (I think I forgot to mention that last 
week.) But for the workstations, you have to set name_format in audispd.conf.

> > 2.      The second issue is that I need to configure sudo to enable my
> > Special Security Team with the ability to perform their duties using
> > the aureport and the ausearch commands, but I get an error that
> > appears to be based on permissions.
> 
> I recommend you show the command and resultant error in situations like
> this. That way we can provide a more informed response.

One approach some people take is to use the log_group setting in auditd.conf. 
If there is a group that the security people belong to that others don't, then 
using that group name for log_group this is the easiest way and exactly why 
this option exists.

-Steve

> > I am hoping that you guys can steer me in the correct direction; and I
> > can update my documentation to be even a little more thorough.
> > 
> > Scenario2, might be more of a membership issue now that I think about
> > it; so please disregard as I think this is some weird 389-ds issue.
> > 
> > I am hoping though that someone can suggest a reason why, when I look
> > directly at the content of the /var/log/audit/audit.log I am not see
> > any references to node=hostname1, hostname2 .. hostnameN?  Maybe I did
> > misconfigure something, but I followed my own instructions to the “T”
> > and they didn’t produce this issue.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Thank you in advance for your precious time sincerely,
> > 
> > 
> > 
> > Warron French, MBA, SCSA
> > 
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit