Audit: Difference between revisions
Jump to navigation
Jump to search
(New page: ==How to audit fedora/redhat system== Tested on fedora 11 x86_64 <pre><nowiki> ### /etc/pam.d/sshd ### ...) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==resources== | |||
homepage | |||
http://people.redhat.com/sgrubb/audit/index.html | |||
common criteria. | |||
http://www.commoncriteriaportal.org/ | |||
novel manual. | |||
http://www.novell.com/documentation/sles10/ | |||
==How to audit fedora/redhat system== | ==How to audit fedora/redhat system== | ||
Tested on fedora 11 x86_64 | Tested on fedora 11 x86_64 | ||
==ssh/sudo tty auditing== | |||
<pre><nowiki> | <pre><nowiki> | ||
### /etc/pam.d/sshd ### | ### /etc/pam.d/sshd ### | ||
Line 55: | Line 65: | ||
# Enable keyboard logging. | # Enable keyboard logging. | ||
session required pam_tty_audit.so disable=* enable=superman,root open_only | session required pam_tty_audit.so disable=* enable=superman,root open_only | ||
</nowiki></pre> | |||
==audit system== | |||
audit.rules | |||
<pre><nowiki> | |||
## This file contains the auditctl rules that are loaded | |||
## whenever the audit daemon is started via the initscripts. | |||
## The rules are simply the parameters that would be passed | |||
## to auditctl. | |||
## | |||
## First rule - delete all | |||
-D | |||
## Increase the buffers to survive stress events. | |||
## Make this bigger for busy systems | |||
-b 8192 | |||
## Set failure mode to loggit | |||
-f 1 | |||
## Things that affect login | |||
-w /etc/group -p w -k CFG_login | |||
-w /etc/passwd -p w -k CFG_login | |||
-w /etc/gshadow -p w -k CFG_login | |||
-w /etc/shadow -p w -k CFG_login | |||
-w /etc/security/opasswd -p w -k CFG_login | |||
-w /etc/nsswitch.conf -p w -k CFG_login | |||
-w /etc/issue -p w -k CFG_login | |||
-w /etc/issue.net -p w -k CFG_login | |||
## successful writes to audit logfiles. | |||
-w /var/log/audit/ -p w -k LOG_audit | |||
## modifications to audit configuration that occur while the audit | |||
-w /etc/audit/ -p w -k CFG_audit | |||
-w /etc/sysconfig/auditd -p w -k CFG_audit | |||
-w /etc/libaudit.conf -p w -k CFG_libaudit.conf | |||
-w /etc/audisp/ -p w -k CFG_audisp | |||
## cron configuration & scheduled jobs | |||
-w /etc/cron.allow -p w -k CFG_cron.allow | |||
-w /etc/cron.deny -p w -k CFG_cron.deny | |||
-w /etc/cron.d/ -p w -k CFG_cron.d | |||
-w /etc/cron.daily/ -p w -k CFG_cron.daily | |||
-w /etc/cron.hourly/ -p w -k CFG_cron.hourly | |||
-w /etc/cron.monthly/ -p w -k CFG_cron.monthly | |||
-w /etc/cron.weekly/ -p w -k CFG_cron.weekly | |||
-w /etc/crontab -p w -k CFG_crontab | |||
-w /var/spool/cron/ -k CFG_crontab | |||
## network configuration | |||
-w /etc/hosts -p w -k CFG_hosts | |||
-w /etc/sysconfig/network-scripts/ -p w -k CFG_network | |||
-w /etc/sysconfig/network -p w -k CFG_network | |||
-w /etc/resolv.conf -p w -k CFG_hosts | |||
## system startup scripts | |||
-w /etc/inittab -p w -k CFG_inittab | |||
-w /etc/rc.d/init.d/ -p w -k CFG_initscripts | |||
## kernel parameters | |||
-w /etc/sysctl.conf -p w -k CFG_sysctl.conf | |||
## pam configuration | |||
-w /etc/pam.d/ -p w -k CFG_pam | |||
-w /etc/security/limits.conf -p w -k CFG_pam | |||
-w /etc/security/pam_env.conf -p w -k CFG_pam | |||
-w /etc/security/namespace.conf -p w -k CFG_pam | |||
-w /etc/security/namespace.init -p w -k CFG_pam | |||
## ssh configuration | |||
-w /etc/ssh/sshd_config -p w -k CFG_sshd_config | |||
## rpm packages. | |||
-w /var/lib/rpm/Packages -p w -k CFG_rpm | |||
</nowiki></pre> | </nowiki></pre> | ||
Line 63: | Line 149: | ||
What has happened on the tty. Translate numbers to names. | What has happened on the tty. Translate numbers to names. | ||
aureport -i --tty | aureport -i --tty | ||
List all entries. | |||
ausearch -m ALL | |||
What is happening. | |||
aureport --start this-week | |||
What changes has been done. | |||
aureport --start this-week --key --summary | |||
What happened at a specific event. | |||
ausearch -i -a 1295821 | |||
What happened the last 10 minutes. | |||
ausearch -i --start recent | |||
[[Category:Applications]] |
Latest revision as of 07:43, 5 November 2009
resources
homepage
http://people.redhat.com/sgrubb/audit/index.html
common criteria.
http://www.commoncriteriaportal.org/
novel manual.
http://www.novell.com/documentation/sles10/
How to audit fedora/redhat system
Tested on fedora 11 x86_64
ssh/sudo tty auditing
### /etc/pam.d/sshd ### #%PAM-1.0 auth required pam_sepermit.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params # Keyboard logging. session include pam_tty_audit session optional pam_keyinit.so force revoke session include system-auth ### /etc/pam.d/su ### #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth # Keyboard logging. session include pam_tty_audit session optional pam_xauth.so ### /etc/pam.d/sudo ### #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/sudo-i ### #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/pam_tty_audit ### # Enable keyboard logging. session required pam_tty_audit.so disable=* enable=superman,root open_only
audit system
audit.rules
## This file contains the auditctl rules that are loaded ## whenever the audit daemon is started via the initscripts. ## The rules are simply the parameters that would be passed ## to auditctl. ## ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## Set failure mode to loggit -f 1 ## Things that affect login -w /etc/group -p w -k CFG_login -w /etc/passwd -p w -k CFG_login -w /etc/gshadow -p w -k CFG_login -w /etc/shadow -p w -k CFG_login -w /etc/security/opasswd -p w -k CFG_login -w /etc/nsswitch.conf -p w -k CFG_login -w /etc/issue -p w -k CFG_login -w /etc/issue.net -p w -k CFG_login ## successful writes to audit logfiles. -w /var/log/audit/ -p w -k LOG_audit ## modifications to audit configuration that occur while the audit -w /etc/audit/ -p w -k CFG_audit -w /etc/sysconfig/auditd -p w -k CFG_audit -w /etc/libaudit.conf -p w -k CFG_libaudit.conf -w /etc/audisp/ -p w -k CFG_audisp ## cron configuration & scheduled jobs -w /etc/cron.allow -p w -k CFG_cron.allow -w /etc/cron.deny -p w -k CFG_cron.deny -w /etc/cron.d/ -p w -k CFG_cron.d -w /etc/cron.daily/ -p w -k CFG_cron.daily -w /etc/cron.hourly/ -p w -k CFG_cron.hourly -w /etc/cron.monthly/ -p w -k CFG_cron.monthly -w /etc/cron.weekly/ -p w -k CFG_cron.weekly -w /etc/crontab -p w -k CFG_crontab -w /var/spool/cron/ -k CFG_crontab ## network configuration -w /etc/hosts -p w -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p w -k CFG_network -w /etc/sysconfig/network -p w -k CFG_network -w /etc/resolv.conf -p w -k CFG_hosts ## system startup scripts -w /etc/inittab -p w -k CFG_inittab -w /etc/rc.d/init.d/ -p w -k CFG_initscripts ## kernel parameters -w /etc/sysctl.conf -p w -k CFG_sysctl.conf ## pam configuration -w /etc/pam.d/ -p w -k CFG_pam -w /etc/security/limits.conf -p w -k CFG_pam -w /etc/security/pam_env.conf -p w -k CFG_pam -w /etc/security/namespace.conf -p w -k CFG_pam -w /etc/security/namespace.init -p w -k CFG_pam ## ssh configuration -w /etc/ssh/sshd_config -p w -k CFG_sshd_config ## rpm packages. -w /var/lib/rpm/Packages -p w -k CFG_rpm
Reading logged data
- Data is written after user exits. So tailing /var/log/audit/audit.log will fail.
What has happened on the tty. Translate numbers to names.
aureport -i --tty
List all entries.
ausearch -m ALL
What is happening.
aureport --start this-week
What changes has been done.
aureport --start this-week --key --summary
What happened at a specific event.
ausearch -i -a 1295821
What happened the last 10 minutes.
ausearch -i --start recent