Audit: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 1: | Line 1: | ||
==resources== | |||
http://people.redhat.com/sgrubb/audit/index.html | |||
http://www.commoncriteriaportal.org/ | |||
==How to audit fedora/redhat system== | ==How to audit fedora/redhat system== | ||
Revision as of 19:32, 21 October 2009
resources
http://people.redhat.com/sgrubb/audit/index.html http://www.commoncriteriaportal.org/
How to audit fedora/redhat system
Tested on fedora 11 x86_64
ssh/sudo tty auditing
### /etc/pam.d/sshd ### #%PAM-1.0 auth required pam_sepermit.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params # Keyboard logging. session include pam_tty_audit session optional pam_keyinit.so force revoke session include system-auth ### /etc/pam.d/su ### #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth # Keyboard logging. session include pam_tty_audit session optional pam_xauth.so ### /etc/pam.d/sudo ### #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/sudo-i ### #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/pam_tty_audit ### # Enable keyboard logging. session required pam_tty_audit.so disable=* enable=superman,root open_only
audit system
audit.rules
## This file contains the auditctl rules that are loaded ## whenever the audit daemon is started via the initscripts. ## The rules are simply the parameters that would be passed ## to auditctl. ## ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## Set failure mode to panic -f 1 ## Things that affect login -w /etc/group -p wa -k CFG_login -w /etc/passwd -p wa -k CFG_login -w /etc/gshadow -p wa -k CFG_login -w /etc/shadow -p wa -k CFG_login -w /etc/security/opasswd -p wa -k CFG_login -w /etc/nsswitch.conf -p wa -k CFG_login -w /etc/issue -p wa -k CFG_login -w /etc/issue.net -p wa -k CFG_login ## successful writes to audit logfiles. -w /var/log/audit/ -p wa -k LOG_audit ## modifications to audit configuration that occur while the audit -w /etc/audit/ -p wa -k CFG_audit -w /etc/sysconfig/auditd -p wa -k CFG_audit -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf -w /etc/audisp/ -p wa -k CFG_audisp ## cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/ -k CFG_crontab ## network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network -w /etc/sysconfig/network -p wa -k CFG_network -w /etc/resolv.conf -p wa -k CFG_hosts ## system startup scripts -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts ## kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf ## pam configuration -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/limits.conf -p wa -k CFG_pam -w /etc/security/pam_env.conf -p wa -k CFG_pam -w /etc/security/namespace.conf -p wa -k CFG_pam -w /etc/security/namespace.init -p wa -k CFG_pam ## ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config ## rpm packages. -v /var/lib/rpm/Packages -k CFG_rpm
Reading logged data
- Data is written after user exits. So tailing /var/log/audit/audit.log will fail.
What has happened on the tty. Translate numbers to names.
aureport -i --tty