Audit: Difference between revisions

How to audit fedora/redhat system

Tested on fedora 11 x86_64

ssh/sudo tty auditing

### /etc/pam.d/sshd ###                                                                                                          
#%PAM-1.0                                                                                                                        
auth       required     pam_sepermit.so                                                                                          
auth       include      system-auth                                                                                              
account    required     pam_nologin.so                                                                                           
account    include      system-auth                                                                                              
password   include      system-auth                                                                                              
# pam_selinux.so close should be the first session rule                                                                          
session    required     pam_selinux.so close                                                                                     
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
# Keyboard logging.
session    include      pam_tty_audit
session    optional     pam_keyinit.so force revoke
session    include      system-auth
### /etc/pam.d/su ###
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
# Keyboard logging.
session         include         pam_tty_audit
session         optional        pam_xauth.so
### /etc/pam.d/sudo ###
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
# Keyboard logging.
session    include      pam_tty_audit
### /etc/pam.d/sudo-i ###
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so
# Keyboard logging.
session    include      pam_tty_audit
### /etc/pam.d/pam_tty_audit ###
# Enable keyboard logging.
session    required     pam_tty_audit.so disable=* enable=superman,root open_only

audit system

audit.rules

## This file contains the auditctl rules that are loaded
## whenever the audit daemon is started via the initscripts.
## The rules are simply the parameters that would be passed 
## to auditctl.                                             
##                                                          
## First rule - delete all                                  
-D                                                          

## Increase the buffers to survive stress events.
## Make this bigger for busy systems             
-b 8192                                          

## Set failure mode to panic
-f 2                        

## Things that affect login
-w /etc/group -p wa -k CFG_login
-w /etc/passwd -p wa -k CFG_login
-w /etc/gshadow -p wa -k CFG_login
-w /etc/shadow -p wa -k CFG_login 
-w /etc/security/opasswd -p wa -k CFG_login
-w /etc/nsswitch.conf -p wa -k CFG_login   
-w /etc/issue -p wa -k CFG_login           
-w /etc/issue.net -p wa -k CFG_login       

## successful writes to audit logfiles.
-w /var/log/audit/ -p wa -k LOG_audit  

## modifications to audit configuration that occur while the audit
-w /etc/audit/ -p wa -k CFG_audit
-w /etc/sysconfig/auditd  -p wa -k CFG_audit
-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
-w /etc/audisp/ -p wa -k CFG_audisp

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k CFG_cron.allow
-w /etc/cron.deny -p wa -k CFG_cron.deny
-w /etc/cron.d/ -p wa -k CFG_cron.d
-w /etc/cron.daily/ -p wa -k CFG_cron.daily
-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
-w /etc/crontab -p wa -k CFG_crontab
-w /var/spool/cron/ -k CFG_crontab

## network configuration
-w /etc/hosts -p wa -k CFG_hosts
-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
-w /etc/sysconfig/network -p wa -k CFG_network
-w /etc/resolv.conf -p wa -k CFG_hosts

## system startup scripts
-w /etc/inittab -p wa -k CFG_inittab
-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts

## kernel parameters
-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf

## pam configuration
-w /etc/pam.d/ -p wa -k CFG_pam
-w /etc/security/limits.conf -p wa  -k CFG_pam
-w /etc/security/pam_env.conf -p wa -k CFG_pam
-w /etc/security/namespace.conf -p wa -k CFG_pam
-w /etc/security/namespace.init -p wa -k CFG_pam

## ssh configuration
-w /etc/ssh/sshd_config -k CFG_sshd_config

## rpm packages.
-v /var/lib/rpm/Packages -k CFG_rpm

Reading logged data

1. Data is written after user exits. So tailing /var/log/audit/audit.log will fail.

What has happened on the tty. Translate numbers to names.

aureport -i --tty