Audit
Jump to navigation
Jump to search
resources
homepage
http://people.redhat.com/sgrubb/audit/index.html
common criteria.
http://www.commoncriteriaportal.org/
novel manual.
http://www.novell.com/documentation/sles10/
How to audit fedora/redhat system
Tested on fedora 11 x86_64
ssh/sudo tty auditing
### /etc/pam.d/sshd ### #%PAM-1.0 auth required pam_sepermit.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params # Keyboard logging. session include pam_tty_audit session optional pam_keyinit.so force revoke session include system-auth ### /etc/pam.d/su ### #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth # Keyboard logging. session include pam_tty_audit session optional pam_xauth.so ### /etc/pam.d/sudo ### #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/sudo-i ### #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/pam_tty_audit ### # Enable keyboard logging. session required pam_tty_audit.so disable=* enable=superman,root open_only
audit system
audit.rules
## This file contains the auditctl rules that are loaded ## whenever the audit daemon is started via the initscripts. ## The rules are simply the parameters that would be passed ## to auditctl. ## ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## Set failure mode to loggit -f 1 ## Things that affect login -w /etc/group -p w -k CFG_login -w /etc/passwd -p w -k CFG_login -w /etc/gshadow -p w -k CFG_login -w /etc/shadow -p w -k CFG_login -w /etc/security/opasswd -p w -k CFG_login -w /etc/nsswitch.conf -p w -k CFG_login -w /etc/issue -p w -k CFG_login -w /etc/issue.net -p w -k CFG_login ## successful writes to audit logfiles. -w /var/log/audit/ -p w -k LOG_audit ## modifications to audit configuration that occur while the audit -w /etc/audit/ -p w -k CFG_audit -w /etc/sysconfig/auditd -p w -k CFG_audit -w /etc/libaudit.conf -p w -k CFG_libaudit.conf -w /etc/audisp/ -p w -k CFG_audisp ## cron configuration & scheduled jobs -w /etc/cron.allow -p w -k CFG_cron.allow -w /etc/cron.deny -p w -k CFG_cron.deny -w /etc/cron.d/ -p w -k CFG_cron.d -w /etc/cron.daily/ -p w -k CFG_cron.daily -w /etc/cron.hourly/ -p w -k CFG_cron.hourly -w /etc/cron.monthly/ -p w -k CFG_cron.monthly -w /etc/cron.weekly/ -p w -k CFG_cron.weekly -w /etc/crontab -p w -k CFG_crontab -w /var/spool/cron/ -k CFG_crontab ## network configuration -w /etc/hosts -p w -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p w -k CFG_network -w /etc/sysconfig/network -p w -k CFG_network -w /etc/resolv.conf -p w -k CFG_hosts ## system startup scripts -w /etc/inittab -p w -k CFG_inittab -w /etc/rc.d/init.d/ -p w -k CFG_initscripts ## kernel parameters -w /etc/sysctl.conf -p w -k CFG_sysctl.conf ## pam configuration -w /etc/pam.d/ -p w -k CFG_pam -w /etc/security/limits.conf -p w -k CFG_pam -w /etc/security/pam_env.conf -p w -k CFG_pam -w /etc/security/namespace.conf -p w -k CFG_pam -w /etc/security/namespace.init -p w -k CFG_pam ## ssh configuration -w /etc/ssh/sshd_config -p w -k CFG_sshd_config ## rpm packages. -w /var/lib/rpm/Packages -p w -k CFG_rpm
Reading logged data
- Data is written after user exits. So tailing /var/log/audit/audit.log will fail.
What has happened on the tty. Translate numbers to names.
aureport -i --tty
List all entries.
ausearch -m ALL
What is happening.
aureport --start this-week
What changes has been done.
aureport --start this-week --key --summary
What happened at a specific event.
ausearch -i -a 1295821
What happened the last 10 minutes.
ausearch -i --start recent