RHEL6 and RHEL7 audispatch configurations

RHEL6 and RHEL7 audispatch configurations

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 979 bytes --]

Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
exact) we collaborated, for my benefit on how to configure audispatch on
"RHEL6" machines.

It seems that my instructions that I kept from 1 year ago are no longer
valid; there are new files in existence and some old ones no longer in
existence for both RHEL6 and RHEL7:


*[OLD]*
/etc/audisp/
*audisp-remote.conf,*
/etc/audisp/plugins.d/*au-remote.conf*


*[NEW]*
/etc/audisp/plugins.d/af_unix.conf
/etc/audisp/plugins.d/syslog.conf

Not sure how to find the appropriate man pages to configure this setup
properly.  I am attaching what I wrote 1 year ago; and hope that you can
push me in the direction of a good walk-through for audispatch of the
modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).

I have to stick with these revision for a little while since we are going
through a Project Management Stage gate, impacting update decisions.




--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 1549 bytes --]

[-- Attachment #2: DOCS-02-Configure Centralized AUDIT-logging with audispatch.docx --]
[-- Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document, Size: 28091 bytes --]

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: RHEL6 and RHEL7 audispatch configurations

[Steve Grubb]

On Monday, April 3, 2017 2:23:21 PM EDT warron.french wrote:
> Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
> exact) we collaborated, for my benefit on how to configure audispatch on
> "RHEL6" machines.
> 
> It seems that my instructions that I kept from 1 year ago are no longer
> valid; there are new files in existence and some old ones no longer in
> existence for both RHEL6 and RHEL7:

The only change is systemd vs SysVinit initialization, augenrules being 
default rule loader, and updating rules for a change in where the default 
first user account starts (500 vs 1000). There are no changes in the audispd 
area.

> *[OLD]*
> /etc/audisp/
> *audisp-remote.conf,*
> /etc/audisp/plugins.d/*au-remote.conf*
> 
> *[NEW]*
> /etc/audisp/plugins.d/af_unix.conf
> /etc/audisp/plugins.d/syslog.conf

These have always been there. Note that all plugins default to off.

> Not sure how to find the appropriate man pages to configure this setup
> properly.  I am attaching what I wrote 1 year ago; and hope that you can
> push me in the direction of a good walk-through for audispatch of the
> modern revision (audit-2.4.5-3 on RHEL6, and audit-2.4.1-5.el7).
> 
> I have to stick with these revision for a little while since we are going
> through a Project Management Stage gate, impacting update decisions.

I'd highly recommend moving to the 2.6.5 release. This is because the main 
feature of 2.6 was to resolve uid/gid during event processing so that reports 
run on aggregated logs resolve to the right account. 

The area between 0 and 300 are fixed accounts. All systems have the same 
account. The area between 300 and 1000 is also for system accounts but are not 
standardized.  They are allocated randomly by the order of package 
installation. (This behavior is controlled by /etc/login.defs.) For example, 
the chrony daemon account on my main system is 990. On my latop, its 994. So, 
if my laptop sent logs to my main system, ausearch prior to 2.6 would do the 
lookup on the server and map account 994 to geoclue. After 2.6, auditd puts 
the mapping in the record after a special separator. Ausearch uses this during 
interpretation to display the correct account name.

Besides that, there was a remote logging bug fixed on 2.6.1 that was causing 
remote logging problems in earlier releases.

-Steve