Offline configuration

Offline configuration

[Robert Evans]

Hi,

Now that I've got auditing to work on Fedora Core, I have a few more questions.

First, the boxes I've got it working on are connected to the internet and have 
the latest updates.  Now I need to make stuff work on boxes that are *not* 
connected to the internet and are built off of the base CD/DVD.

I know I need the latest versions of the following packages on a system
   audit
   audit-lib
   glibc-kernheaders
   openssh
   openssh-server
   openssh-client
   openssh-askpass
   openssh-askpass-gnome

Do I need the latest of
   audit-libs-devel
   kernel
as well?

Also, what other packages are critical to get NISPOM compliance?  Even when I 
updated the above packages, it didn't look like failed logins on the gnome 
desktop were generating events.  I realize this may be particular to RHEL_64, 
but I also figured I could just have an outdated package.

I'm asking this because when I set up my audit rules on RHEL4_64 with the base 
auditing installed (none of the above updates).  I wasn't getting any 
login/logout events at all, based on my initial experience with the initial 
Fedora configurations, I assume that I need to install updated packages.

I'm not using watches right now, only syscalls, which seem to catch everything I 
need.  It seems like Steve has put enough information in the event logs that it 
is possible to build a GUI that parses, combines, and then displays the event 
logs to the user.  Each displayed event is on a single line and contains the 
pertinent information about the event.

The only gotcha I had with FC5 was that I needed the updated openssh packages to 
generate the events that indicated a logout event for ssh.

Bob Evans
JHU/APL

RE: Offline configuration - nice summary of Bob's config

[Wieprecht, Karen M.]

 Bob,
>> it didn't look like failed logins on the gnome desktop were
generating events.  I realize this may be particular to RHEL_64, 
>> but I also figured I could just have an outdated package.

Based on my limited exposure to RHEL4 x86_64 and bz 196233,  I was
getting login/logout information with the standard RHEL4U4 kernel, but I
wasn't getting any of the syscall stuff before installing the test
kernel Jason was providing ( http://people.redhat.com/~jbaron/rhel4/ ).
Steve Grubb said that Jason's fix  will be committed in stream U5 build
42.20.   

It sounds like you are having the opposite problem though (getting
syscall stuff but not he login/logout stuff).  This seems odd because
the login/logout stuff is supposed to be built in ...  you aren't
filtering out the login/logout message types by chance are you?  Steve
sent out a sample the other day for someone who asked how to do this
(-a exclude,always -F msgtype>=1100 -F msgtype<=1299 -a exclude,always
-F msgtype>=1400 -F msgtype<=2999).

It could be that you are seeing a different variant of bug bz196233
since you are on FC rather than RHEL, but I would think that if the
syscall stuff is showing up, that you've probably already got a fix in
place for bz196233 ...  

The other thing you might do is to compare the sample capp.rules to your
audit.rules.  When we set up our initial test audit.rules file,  we
tried a few things from the sample capp.rules file, and I recall that
there were a few things you had to uncomment based on whether you were
on 32-bit or 64-bit.   If you have something similar in your
audit.rules, you may need the 64-bit flavor of the rule.   

Good luck,

Karen Wieprecht

Re: Offline configuration

[Steve Grubb]

On Friday 25 May 2007 12:23, Robert Evans wrote:
> Do I need the latest of
>    audit-libs-devel

no

>    kernel as well?

Wouldn't hurt due to security fixes.

> Also, what other packages are critical to get NISPOM compliance?

NISPOM seems preoccupied with login/logout, account locking, blacklisting of 
terminals, audit trail generation, and audit reports.

The login/logout stuff is covered by pam, login, sshd, and gdm. Account 
locking is done by pam_tally2. I don't believe we do blacklisting of 
terminals like pam_tally does. And the audit trail is done by the kernel and 
audit package. I'd also update password and shadow-utils so that changes to 
accounts are audited.

> Even when I updated the above packages, it didn't look like failed logins on
> the gnome desktop were generating events.  I realize this may be particular
> to RHEL_64, but I also figured I could just have an outdated package.

Also, put audit=1 in boot parameters. The latest version of gdm is supposed to 
work with audit. There was an issue where the gdm pam configuration was not 
right. But it was corrected in the last release.

> I'm asking this because when I set up my audit rules on RHEL4_64 with the
> base auditing installed (none of the above updates).  I wasn't getting any
> login/logout events at all, based on my initial experience with the initial
> Fedora configurations, I assume that I need to install updated packages.

Yes, I would.

> It seems like Steve has put enough information in the event logs that it is
> possible to build a GUI that parses, combines, and then displays the event
> logs to the user.

Yes. I believe someone even sent one to this mail list about a year ago. We 
are planning to write one later this summer after the audit parsing library 
work is settled.

> The only gotcha I had with FC5 was that I needed the updated openssh
> packages to generate the events that indicated a logout event for ssh.

Yep.

-Steve