Re: buffer space

[Mike Nixon <mnixxon@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 6037 bytes --]

Attached are is the audit.rules file from SECSCN 4.3.  There is a v4.4 now
available but I don't have it handy.  Also attached are two docs which
explain SECSCN's auditd configuration expectations.

-Mike

On Mon, Aug 17, 2009 at 11:34 AM, Norman Mark St. Laurent <
mstlaurent@conceras.com> wrote:

> Hi David,
>
> I too would like to know what version of SECSCAN you are using for the
> "required watches".  I run the STIGS, SECSCAN, and a myriad of vulnerability
> analysis tools (outside looking in -->  inside looking around) on systems
> that I ISSE and provision.  I do not recall "required watches" that need to
> be set with this tool, but I maybe off a version and I may need to visit
> another sight to pick up the latest and greatest....
>
> I know SECSCAN would like the System to be configured to HALT on audit
> failure using the disk_ful_action_setting in /etc/audit/auditd.conf.  It
> would also like the system to be configured to halt on audit disk error as
> well as the audit data to be synchronously flushed to disk to avoid data
> loss.  To do this (respectfully) I have set in my KickStarts and Satellite:
>
> perl -npe 's/disk_full_action = SUSPEND/disk_full_action = HALT/' -i
> /etc/audit/auditd.conf
> perl -npe 's/disk_error_action = SUSPEND/disk_error_action = HALT/' -i
> /etc/audit/auditd.conf
> perl -npe 's/flush = INCREMENTAL/flush = SYNC/' -i /etc/audit/auditd.conf
>
> Currently I set the /var/log/audit logs to rotate daily for 90 days...  in
> /etc/logrotate.d/audit  and the capp.rules ; nispom.rules in
> /usr/share/doc/audit* all work great and provide nice examples to comply
> with Security Policy.
>
> Because of the logrotation and the way aureport works, I have written a
> wrapper script to be able to search and report all the log files.  Something
> of this type would help the Security Officers look threw the log files.  The
> script also keeps a pristine copy of the log files for investigation with
> digital sigs to watch the tampering  (as well as aide) for investigation if
> need be --> this keeps processing the files (MAC Times) and a pristine copy
> separated.
>
> I am very interested in finding our more about these set watches that are
> required in SECSCAN.
>
> Best regards,
>
>
> Norman Mark St. Laurent
> Conceras | Chief Technology Officer and ISSE
>
>
>
> David Flatley wrote:
>
>>
>> Thanks Steve!
>> If I were to move all the rotated logs to another directory, say
>> /home/logs. So instead of doing "ausearch -i" to capture all the information
>> in the rotated logs in
>> /var/log/audit directory. I would do "ausearch -i -f /home/logs" ,
>> correct?
>>
>> Backlog is set to 12288 right now.
>>
>> The SECSCAN requires many -w (watches) and a fair amount of syscalls. I
>> modified the syscalls to add your recommendation for using "arch=b32" and
>> "arch=b64".
>> Because I was getting errors restarting the auditd on some of their
>> recommendations one of which was mount?
>>
>> Another setting I believe was doing me in was the log size is 20 megs and
>> I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action
>> was suspend.
>> So this could have been tripping me up also.
>>
>> I would like to be able to do the audit log extractions (ausearch and
>> aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a
>> script in max_log_file_action.
>> So if I set the max_log_file to 160, I can then run a script to move the
>> rotated logs and process them, thus not stopping auditd and keeping things
>> working? I would set the
>> max rotated logs to 10 to allow the new rotated log space then move the
>> logs as you suggest.
>>
>> Thanks.
>>
>> David Flatley CISSP
>>
>>
>>
>>
>> Inactive hide details for Steve Grubb ---08/13/2009 02:29:34 PM---On
>> Thursday 13 August 2009 10:56:50 am David Flatley wrote: > Steve Grubb
>> ---08/13/2009 02:29:34 PM---On Thursday 13 August 2009 10:56:50 am David
>> Flatley wrote: > Red Hat 5.3 running audit 1.7.7-6
>>
>>
>> From:
>> Steve Grubb <sgrubb@redhat.com>
>>
>> To:
>> linux-audit@redhat.com
>>
>> Cc:
>> David Flatley/Burlington/IBM@IBMUS
>>
>> Date:
>> 08/13/2009 02:29 PM
>>
>> Subject:
>> Re: buffer space
>>
>>
>>
>>
>> On Thursday 13 August 2009 10:56:50 am David Flatley wrote:
>> >   Red Hat 5.3 running audit 1.7.7-6
>> > Rotating logs at 20 megs and allowing 8 logs
>> > Rules have watches and syscalls from the SECSCAN recommendations, and
>> have
>> > added some of Steve Grubb's recommendations.
>>
>> I would be curious what the SECSCAN recommendations are. Never heard of
>> it...
>>
>>
>> > When we extract and archive the audit logs we get "Error receiving audit
>> > netlink packet (No buffer space available) an "error sending signal info
>> > request"
>> > Our extract is: stop auditd then create a file and run ausearch -i >
>> file
>> > then run an aureport -i > file then once that is done we delete all the
>> > logs and restart auditd.
>>
>> I think this is your problem. If you have audit rules loaded and stop
>> auditd,
>> then audit events are going to pile up in the queue waiting for auditd to
>> download them. At some point the kernel will decide auditd doesn't exist
>> and
>> will dump all events to syslog. This probably is not what you want either.
>>
>> I would recommend calling "service auditd rotate" and then grab logs
>> audit.log.1 -> audit.logs.7 and move them away to another directory for
>> post  processing the contents.
>>
>> You may also want to check you backlog size settings too.
>>
>>
>> > If I run this manually it works fine but if I have it running it in a
>> cron
>> > we get Kernel panics, lockups and log data loss plus the buffer
>> messages.
>>
>> Shouldn't really make a difference.
>>
>> -Steve
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 7364 bytes --]

[-- Attachment #2: AUDIT1.HTML --]
[-- Type: text/html, Size: 6262 bytes --]

[-- Attachment #3: AUDIT.RULES --]
[-- Type: application/octet-stream, Size: 5598 bytes --]

##
## This file contains a sample audit configuration.  The rules can be
## copied and pasted into your audit.rules file usually located in the
## /etc/audit/ directory. 
## Note: All settings should be tested on a non-production system prior
## to implementation on any production system.

## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192

## Set failure mode to panic
-f 2

## Operations on file system objects - by default, only monitor
## files and directories covered by filesystem watches.

## Changes in ownership and permissions
-a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown
## Enable *32 rules if you are running on i386 or s390
## Do not use for x86_64, ia64, ppc, ppc64, or s390x
#-a entry,always -S fchown32
#-a entry,always -S chown32
#-a entry,always -S lchown32

## File content modification. Permissions are checked at open time,
## monitoring individual read/write calls is not useful.
#-a entry,always -S creat -S open -S truncate -S ftruncate
## Enable *64 rules if you are running on i386, ppc, ppc64, s390
## Do not use for x86_64, ia64, or s390x
#-a entry,always -S truncate64
#-a entry,always -S ftruncate64

##Unauthorized access attempts to files (unsuccessful). Use b64 for 64 bit architecture
-a exit,always arch=b32 -S creat -S open -S truncate -S ftruncate -F exit=-EACCES -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

#-a exit,always arch=b64 -S creat -S open -S truncate -S ftruncate -F exit=-EACCES -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access


## directory operations
-a entry,always -S mkdir -S rmdir

## moving, removing, and linking
-a entry,always -S unlink -S rename -S link -S symlink

## special files
-a entry,always -S mknod

## Other file system operations
-a entry,always -S mount
## Enable umount rule if you are running on i386,ppc,ppc64,s390,s390x,ia64
## Do not use for x86_64
-a entry,always -S umount
## Enable umount rule if you are running on i386,ppc,ppc64,s390,s390x,ia64
## Do not use for ia64
#-a entry,always -S umount2

## success and failure of binding user security attributes to a subject
##
## Enable if you are interested in these events
##
-a entry,always -S clone
-a entry,always -S fork
-a entry,always -S vfork
## For ia64 architecture, disable fork and vfork rules above, and
## enable the following:
#-a entry,always -S clone2

##
## modifications of the default setting of permissive or restrictive
## rules, all modifications of the initial value of security attributes
##
## Enable if you are interested in these events
##
-a entry,always -S umask

##
## changes to the time
##
-a entry,always -S adjtimex -S settimeofday

##Recommended File System watches. Please add any other sensitive files and 
##directories to this list.

##
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
##
-w /var/log/audit/ -k LOG_audit
-w /var/log/audit/audit_log -k LOG_audit_log
-w /var/log/audit/audit_log.1 -k LOG_audit_log
-w /var/log/audit/audit_log.2 -k LOG_audit_log
-w /var/log/audit/audit_log.3 -k LOG_audit_log
-w /var/log/audit/audit_log.4 -k LOG_audit_log

## 
## modifications to audit configuration that occur while the audit
## collection functions are operating; all modications to the set of
## audited events
##
-w /etc/audit/auditd.conf -k CFG_auditd.conf
-w /etc/audit/audit.rules -k CFG_audit.rules
-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf

-w /etc/ntp.conf
-w /etc
-w /var/spool/at
-w /etc/at.allow
-w /etc/at.deny
-w /etc/cron.allow
-w /etc/cron.deny
-w /etc/cron.d/
-w /etc/cron.daily/
-w /etc/cron.hourly/
-w /etc/cron.monthly/
-w /etc/cron.weekly/
-w /etc/crontab
-w /var/spool/cron/root
-w /etc/anacrontab
-w /etc/group
-w /etc/passwd
-w /etc/gshadow
-w /etc/shadow
-w /etc/shadow.OLD
-w /etc/security/opasswd
-w /etc/sudoers
-w /etc/login.defs
-w /etc/securetty
-w /var/log/faillog
-w /var/log/lastlog
-w /etc/shells
-w /etc/profile
-w /etc/bashrc
-w /etc/csh.cshrc
-w /etc/csh.login
-w /etc/hosts
-w /etc/sysconfig/
-w /etc/dhcpd.conf
-w /etc/dhclient-eth0.conf
-w /etc/inittab
-w /etc/rc.d/init.d/
-w /etc/rc.d/init.d/auditd
-w /etc/rc.local
-w /etc/rc.sysinit
-w /etc/xinetd.conf
-w /etc/xinetd.d/
-w /etc/ld.so.conf
-w /etc/ld.so.conf.d/
-w /etc/localtime
-w /etc/sysctl.conf
-w /etc/modprobe.conf
-w /etc/pam.d
-w /etc/pam_smb.conf
-w /etc/aliases
-w /etc/postfix/
-w /etc/mail/access
-w /etc/mail/access.db
-w /etc/mail/aliases
-w /etc/mail/domaintable
-w /etc/mail/domaintable.db
-w /etc/mail/helpfile
-w /etc/mail/local-host-names
-w /etc/mail/mailertable
-w /etc/mail/mailertable.db
-w /etc/mail/Makefile
-w /etc/mail/sendmail.cf
-w /etc/mail/sendmail.mc
-w /etc/mail/submit.cf
-w /etc/mail/submit.mc
-w /etc/mail/trusted-users
-w /etc/mail/virtusertable
-w /etc/mail/virtusertable.db
-w /etc/ssh/sshd_config
-w /etc/stunnel/stunnel.conf
-w /etc/stunnel/stunnel.pem
-w /etc/vsftpd.ftpusers
-w /etc/vsftpd/vsftpd.conf
-w /etc/httpd/conf/
-w /etc/httpd/conf.d/
-w /etc/issue
-w /etc/issue.net
-w /etc/samba/smb.conf
-w /etc/samba/smbpasswd
-w /etc/samba/secrets.tdb
-w /etc/my.conf
-w /etc/syslog.conf
-w /etc/snmp/snmpd.conf
-w /etc/resolv.conf
-w /etc/nsswitch.conf
-w /etc/host.conf
-w /etc/yp.conf
-w /var/yp/binding
-w /etc/ldap.conf
-w /etc/krb5.conf
-w /etc/krb.conf
-w /etc/krb.realms
-w /etc/initlog.conf
-w /etc/default/
-w /etc/firmware/microcode.dat
-w /etc/fstab
-w /etc/auto.master
-w /etc/auto.misc
-w /etc/hosts.allow
-w /etc/hosts.deny
-w /etc/exports

[-- Attachment #4: AUDITDESCRIP.HTML --]
[-- Type: text/html, Size: 5509 bytes --]

[-- Attachment #5: Type: text/plain, Size: 0 bytes --]