* AUDIT changes - true sense of security
@ 2016-03-18 13:14 Warron S French
2016-03-18 13:55 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Warron S French @ 2016-03-18 13:14 UTC (permalink / raw)
To: Linux-Audit
[-- Attachment #1.1: Type: text/plain, Size: 1516 bytes --]
Hello all,
I do work that requires me to configure auditing on my systems. I am a relative novice to the audit configurations in most operating systems.
I have an issue, I believe, and I am asking for help on how to properly address/assess it.
I have been given guidance in support of auditing on CentOS-6.x systems:
1. To place various watch (-w) and action (-a) rules into place.
2. Make certain the configurations are immutable.
Sometimes I have to add more rules, so I do that. However, I am not certain if the rules are working properly, and I do know that I have broken the auditd init-scripts on my systems a few times, and just commented out the offending audit controls to work around/fix this very type of problem.
What I need to know is, since the configurations have to be immutable ( with the -e 2) how can I properly start the audit service, and without any inkling of a doubt be certain that the rules are in place and are functioning properly?
Also, being a total novice, how can I test/trigger audit log actions on watch and action rules to see that the rules are configured properly?
Finally, is there a tool that will do a sanity check on the audit.rules file? Or is the only option to attempt to restart the auditd service, and think "It started, it worked!" is acceptable?
I just don't want a false sense of security, I also don't want a nagging sense of paranoia.
Thank you,
Warron French, MBA, SCSA
The Aerospace Corporation
[-- Attachment #1.2: Type: text/html, Size: 6806 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: AUDIT changes - true sense of security
2016-03-18 13:14 AUDIT changes - true sense of security Warron S French
@ 2016-03-18 13:55 ` Steve Grubb
2016-03-18 15:45 ` Warron S French
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2016-03-18 13:55 UTC (permalink / raw)
To: linux-audit
On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to properly
> address/assess it.
>
> I have been given guidance in support of auditing on CentOS-6.x systems:
>
> 1. To place various watch (-w) and action (-a) rules into place.
>
> 2. Make certain the configurations are immutable.
>
> Sometimes I have to add more rules, so I do that. However, I am not
> certain if the rules are working properly, and I do know that I have broken
> the auditd init-scripts on my systems a few times, and just commented out
> the offending audit controls to work around/fix this very type of problem.
While you are experimenting, do not put in the -e 2 configuration option.
>
>
> What I need to know is, since the configurations have to be immutable ( with
> the -e 2) how can I properly start the audit service, and without any
> inkling of a doubt be certain that the rules are in place and are
> functioning properly?
There is a rule listing command, -l, that will dump what the kernel has
loaded. There is also a status command, -s, that will tell you if audit is
enabled. If the rules are loaded and audit is enabled, its working.
> Also, being a total novice, how can I test/trigger audit log actions on
> watch and action rules to see that the rules are configured properly?
If its a watch, then accessing the file and running ausearch should do it. If
you have a syscall rule, then you have to trigger the syscall either by using
a program or creating one.
> Finally, is there a tool that will do a sanity check on the audit.rules file?
auditctl reports any problems that it sees with the rules.
> Or is the only option to attempt to restart the auditd service, and think
> "It started, it worked!" is acceptable?
List the rules and status the audit subsystem.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: AUDIT changes - true sense of security
2016-03-18 13:55 ` Steve Grubb
@ 2016-03-18 15:45 ` Warron S French
2016-03-18 15:46 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Warron S French @ 2016-03-18 15:45 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Hello sir,
The command with the '-l' argument, is that auditctl?
The command with the '-s' argument... what is that one called, auditd?
Thanks for replying so quickly, sorry for being a nag.
Warron French, MBA, SCSA
The Aerospace Corporation
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, March 18, 2016 9:56 AM
To: linux-audit@redhat.com
Cc: Warron S French <warron.s.french@aero.org>
Subject: Re: AUDIT changes - true sense of security
On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to
> properly address/assess it.
>
> I have been given guidance in support of auditing on CentOS-6.x systems:
>
> 1. To place various watch (-w) and action (-a) rules into place.
>
> 2. Make certain the configurations are immutable.
>
> Sometimes I have to add more rules, so I do that. However, I am not
> certain if the rules are working properly, and I do know that I have
> broken the auditd init-scripts on my systems a few times, and just
> commented out the offending audit controls to work around/fix this very type of problem.
While you are experimenting, do not put in the -e 2 configuration option.
>
>
> What I need to know is, since the configurations have to be immutable
> ( with the -e 2) how can I properly start the audit service, and
> without any inkling of a doubt be certain that the rules are in place
> and are functioning properly?
There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working.
> Also, being a total novice, how can I test/trigger audit log actions
> on watch and action rules to see that the rules are configured properly?
If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one.
> Finally, is there a tool that will do a sanity check on the audit.rules file?
auditctl reports any problems that it sees with the rules.
> Or is the only option to attempt to restart the auditd service, and
> think "It started, it worked!" is acceptable?
List the rules and status the audit subsystem.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: AUDIT changes - true sense of security
2016-03-18 15:45 ` Warron S French
@ 2016-03-18 15:46 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2016-03-18 15:46 UTC (permalink / raw)
To: Warron S French; +Cc: linux-audit
On Friday, March 18, 2016 03:45:20 PM Warron S French wrote:
> Hello sir,
> The command with the '-l' argument, is that auditctl?
> The command with the '-s' argument... what is that one called, auditd?
These are both auditctl commands. The other command that you will need to read
up on is ausearch which is used to examine the resulting logs.
-Steve
> Thanks for replying so quickly, sorry for being a nag.
>
> Warron French, MBA, SCSA
> The Aerospace Corporation
>
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Friday, March 18, 2016 9:56 AM
> To: linux-audit@redhat.com
> Cc: Warron S French <warron.s.french@aero.org>
> Subject: Re: AUDIT changes - true sense of security
>
> On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> > I have an issue, I believe, and I am asking for help on how to
> > properly address/assess it.
> >
> > I have been given guidance in support of auditing on CentOS-6.x systems:
> >
> > 1. To place various watch (-w) and action (-a) rules into place.
> >
> > 2. Make certain the configurations are immutable.
> >
> > Sometimes I have to add more rules, so I do that. However, I am not
> > certain if the rules are working properly, and I do know that I have
> > broken the auditd init-scripts on my systems a few times, and just
> > commented out the offending audit controls to work around/fix this very
> > type of problem.
> While you are experimenting, do not put in the -e 2 configuration option.
>
> > What I need to know is, since the configurations have to be immutable
> > ( with the -e 2) how can I properly start the audit service, and
> > without any inkling of a doubt be certain that the rules are in place
> > and are functioning properly?
>
> There is a rule listing command, -l, that will dump what the kernel has
> loaded. There is also a status command, -s, that will tell you if audit is
> enabled. If the rules are loaded and audit is enabled, its working.
> > Also, being a total novice, how can I test/trigger audit log actions
> > on watch and action rules to see that the rules are configured properly?
>
> If its a watch, then accessing the file and running ausearch should do it.
> If you have a syscall rule, then you have to trigger the syscall either by
> using a program or creating one.
> > Finally, is there a tool that will do a sanity check on the audit.rules
> > file?
> auditctl reports any problems that it sees with the rules.
>
> > Or is the only option to attempt to restart the auditd service, and
> > think "It started, it worked!" is acceptable?
>
> List the rules and status the audit subsystem.
>
> -Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-03-18 15:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-18 13:14 AUDIT changes - true sense of security Warron S French
2016-03-18 13:55 ` Steve Grubb
2016-03-18 15:45 ` Warron S French
2016-03-18 15:46 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.