Audit: Difference between revisions
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 71: | Line 71: | ||
audit.rules | audit.rules | ||
<pre><nowiki> | <pre><nowiki> | ||
## This file contains the auditctl rules that are loaded | ## This file contains the auditctl rules that are loaded | ||
## whenever the audit daemon is started via the initscripts. | ## whenever the audit daemon is started via the initscripts. | ||
## The rules are simply the parameters that would be passed | ## The rules are simply the parameters that would be passed | ||
## to auditctl. | ## to auditctl. | ||
## | ## | ||
## First rule - delete all | ## First rule - delete all | ||
-D | -D | ||
## Increase the buffers to survive stress events. | ## Increase the buffers to survive stress events. | ||
Line 83: | Line 83: | ||
-b 8192 | -b 8192 | ||
## Set failure mode to | ## Set failure mode to loggit | ||
-f 1 | -f 1 | ||
## Things that affect login | ## Things that affect login | ||
-w /etc/group -p | -w /etc/group -p w -k CFG_login | ||
-w /etc/passwd -p | -w /etc/passwd -p w -k CFG_login | ||
-w /etc/gshadow -p | -w /etc/gshadow -p w -k CFG_login | ||
-w /etc/shadow -p | -w /etc/shadow -p w -k CFG_login | ||
-w /etc/security/opasswd -p | -w /etc/security/opasswd -p w -k CFG_login | ||
-w /etc/nsswitch.conf -p | -w /etc/nsswitch.conf -p w -k CFG_login | ||
-w /etc/issue -p | -w /etc/issue -p w -k CFG_login | ||
-w /etc/issue.net -p | -w /etc/issue.net -p w -k CFG_login | ||
## successful writes to audit logfiles. | ## successful writes to audit logfiles. | ||
-w /var/log/audit/ -p | -w /var/log/audit/ -p w -k LOG_audit | ||
## modifications to audit configuration that occur while the audit | ## modifications to audit configuration that occur while the audit | ||
-w /etc/audit/ -p | -w /etc/audit/ -p w -k CFG_audit | ||
-w /etc/sysconfig/auditd -p | -w /etc/sysconfig/auditd -p w -k CFG_audit | ||
-w /etc/libaudit.conf -p | -w /etc/libaudit.conf -p w -k CFG_libaudit.conf | ||
-w /etc/audisp/ -p | -w /etc/audisp/ -p w -k CFG_audisp | ||
## cron configuration & scheduled jobs | ## cron configuration & scheduled jobs | ||
-w /etc/cron.allow -p | -w /etc/cron.allow -p w -k CFG_cron.allow | ||
-w /etc/cron.deny -p | -w /etc/cron.deny -p w -k CFG_cron.deny | ||
-w /etc/cron.d/ -p | -w /etc/cron.d/ -p w -k CFG_cron.d | ||
-w /etc/cron.daily/ -p | -w /etc/cron.daily/ -p w -k CFG_cron.daily | ||
-w /etc/cron.hourly/ -p | -w /etc/cron.hourly/ -p w -k CFG_cron.hourly | ||
-w /etc/cron.monthly/ -p | -w /etc/cron.monthly/ -p w -k CFG_cron.monthly | ||
-w /etc/cron.weekly/ -p | -w /etc/cron.weekly/ -p w -k CFG_cron.weekly | ||
-w /etc/crontab -p | -w /etc/crontab -p w -k CFG_crontab | ||
-w /var/spool/cron/ -k CFG_crontab | -w /var/spool/cron/ -k CFG_crontab | ||
## network configuration | ## network configuration | ||
-w /etc/hosts -p | -w /etc/hosts -p w -k CFG_hosts | ||
-w /etc/sysconfig/network-scripts/ -p | -w /etc/sysconfig/network-scripts/ -p w -k CFG_network | ||
-w /etc/sysconfig/network -p | -w /etc/sysconfig/network -p w -k CFG_network | ||
-w /etc/resolv.conf -p | -w /etc/resolv.conf -p w -k CFG_hosts | ||
## system startup scripts | ## system startup scripts | ||
-w /etc/inittab -p | -w /etc/inittab -p w -k CFG_inittab | ||
-w /etc/rc.d/init.d/ -p | -w /etc/rc.d/init.d/ -p w -k CFG_initscripts | ||
## kernel parameters | ## kernel parameters | ||
-w /etc/sysctl.conf -p | -w /etc/sysctl.conf -p w -k CFG_sysctl.conf | ||
## pam configuration | ## pam configuration | ||
-w /etc/pam.d/ -p | -w /etc/pam.d/ -p w -k CFG_pam | ||
-w /etc/security/limits.conf -p | -w /etc/security/limits.conf -p w -k CFG_pam | ||
-w /etc/security/pam_env.conf -p | -w /etc/security/pam_env.conf -p w -k CFG_pam | ||
-w /etc/security/namespace.conf -p | -w /etc/security/namespace.conf -p w -k CFG_pam | ||
-w /etc/security/namespace.init -p | -w /etc/security/namespace.init -p w -k CFG_pam | ||
## ssh configuration | ## ssh configuration | ||
-w /etc/ssh/sshd_config -k CFG_sshd_config | -w /etc/ssh/sshd_config -p w -k CFG_sshd_config | ||
## rpm packages. | ## rpm packages. | ||
- | -w /var/lib/rpm/Packages -p w -k CFG_rpm | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 156: | Line 157: | ||
What changes has been done. | What changes has been done. | ||
aureport --start this-week -- | aureport --start this-week --key --summary | ||
What happened at a specific event. | |||
ausearch -i -a 1295821 | |||
What happened the last 10 minutes. | |||
ausearch -i --start recent | |||
[[Category:Applications]] |
Latest revision as of 07:43, 5 November 2009
resources
homepage
http://people.redhat.com/sgrubb/audit/index.html
common criteria.
http://www.commoncriteriaportal.org/
novel manual.
http://www.novell.com/documentation/sles10/
How to audit fedora/redhat system
Tested on fedora 11 x86_64
ssh/sudo tty auditing
### /etc/pam.d/sshd ### #%PAM-1.0 auth required pam_sepermit.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params # Keyboard logging. session include pam_tty_audit session optional pam_keyinit.so force revoke session include system-auth ### /etc/pam.d/su ### #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth # Keyboard logging. session include pam_tty_audit session optional pam_xauth.so ### /etc/pam.d/sudo ### #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/sudo-i ### #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/pam_tty_audit ### # Enable keyboard logging. session required pam_tty_audit.so disable=* enable=superman,root open_only
audit system
audit.rules
## This file contains the auditctl rules that are loaded ## whenever the audit daemon is started via the initscripts. ## The rules are simply the parameters that would be passed ## to auditctl. ## ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## Set failure mode to loggit -f 1 ## Things that affect login -w /etc/group -p w -k CFG_login -w /etc/passwd -p w -k CFG_login -w /etc/gshadow -p w -k CFG_login -w /etc/shadow -p w -k CFG_login -w /etc/security/opasswd -p w -k CFG_login -w /etc/nsswitch.conf -p w -k CFG_login -w /etc/issue -p w -k CFG_login -w /etc/issue.net -p w -k CFG_login ## successful writes to audit logfiles. -w /var/log/audit/ -p w -k LOG_audit ## modifications to audit configuration that occur while the audit -w /etc/audit/ -p w -k CFG_audit -w /etc/sysconfig/auditd -p w -k CFG_audit -w /etc/libaudit.conf -p w -k CFG_libaudit.conf -w /etc/audisp/ -p w -k CFG_audisp ## cron configuration & scheduled jobs -w /etc/cron.allow -p w -k CFG_cron.allow -w /etc/cron.deny -p w -k CFG_cron.deny -w /etc/cron.d/ -p w -k CFG_cron.d -w /etc/cron.daily/ -p w -k CFG_cron.daily -w /etc/cron.hourly/ -p w -k CFG_cron.hourly -w /etc/cron.monthly/ -p w -k CFG_cron.monthly -w /etc/cron.weekly/ -p w -k CFG_cron.weekly -w /etc/crontab -p w -k CFG_crontab -w /var/spool/cron/ -k CFG_crontab ## network configuration -w /etc/hosts -p w -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p w -k CFG_network -w /etc/sysconfig/network -p w -k CFG_network -w /etc/resolv.conf -p w -k CFG_hosts ## system startup scripts -w /etc/inittab -p w -k CFG_inittab -w /etc/rc.d/init.d/ -p w -k CFG_initscripts ## kernel parameters -w /etc/sysctl.conf -p w -k CFG_sysctl.conf ## pam configuration -w /etc/pam.d/ -p w -k CFG_pam -w /etc/security/limits.conf -p w -k CFG_pam -w /etc/security/pam_env.conf -p w -k CFG_pam -w /etc/security/namespace.conf -p w -k CFG_pam -w /etc/security/namespace.init -p w -k CFG_pam ## ssh configuration -w /etc/ssh/sshd_config -p w -k CFG_sshd_config ## rpm packages. -w /var/lib/rpm/Packages -p w -k CFG_rpm
Reading logged data
- Data is written after user exits. So tailing /var/log/audit/audit.log will fail.
What has happened on the tty. Translate numbers to names.
aureport -i --tty
List all entries.
ausearch -m ALL
What is happening.
aureport --start this-week
What changes has been done.
aureport --start this-week --key --summary
What happened at a specific event.
ausearch -i -a 1295821
What happened the last 10 minutes.
ausearch -i --start recent