Re: [CentOS] Auditing all Linux clients with centralised server
Ever heard of ossec? Se: www.ossec.net -- Adri P. van Bloois "The greatest threat to our planet is the belief that someone else will save it." Robert Swan. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
On Fri, Jul 09, 2021 at 08:14:06AM -0400, mario juliano grande-balletta wrote: > WAKE UP! Whew, I needed a wake up call! I was falling asleep at my keyboard! In all seriousness, I think forwarding the audit logs works, and if you just want to track when users execute a program, you'll need to add an audit rule. I believe we had something like this in /etc/audit/rules.d/: -a exit,always -F arch=b64 -F euid>1000 -S execve -a exit,always -F arch=b32 -F euid>1000 -S execve This captured all execve() syscalls for users with an effective User ID greater than 1000 (so not to audit system processes). We didn't actually send it to a remote auditd server, though, because it was so chatty and we had a lot of users and workstations. We had an Elasticsearch cluster and sent the audit logs directly with logstash and then Beaver (https://python-beaver.readthedocs.io/en/latest/) This was done because we had redundant ingesters and a cluster of ES servers so logs were less likely to be dropped. Then we had some simple frontends for the ES cluster to make it so we could quickly bring up what processes a user ran on what system. (The kibana interface is nice but too complex for a super simple query like that.) Along with collecting OS statistics like load, memory use, etc., we could track what users ran and how much resources they used. Of course, at this job, we dropped all that and switched to Crowdstrike Falcon, a commercial security tool that does largely the same thing but with a proprietary LSM. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
Apologies for being off topic.hopefully I don't get censored. Not another word. I usually never post comments anyway. back to my cave On Fri, 2021-07-09 at 09:18 -0400, Stephen John Smoogen wrote: > On Fri, 9 Jul 2021 at 08:14, mario juliano grande-balletta< > mario.balle...@gmail.com> wrote: > > This is what I remember about > evilMicrosoft...In 1992, Microsoft > released Windows NT, and advertised it as thegreatest operating > system and began giving away free licenses to > This is drifting off of being anywhere on-topic for this list. > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
On Fri, 9 Jul 2021 at 08:14, mario juliano grande-balletta wrote: > > This is what I remember about evil > Microsoft... > In 1992, Microsoft released Windows NT, and advertised it as the > greatest operating system and began giving away free licenses to This is drifting off of being anywhere on-topic for this list. -- Stephen J Smoogen. I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
I don't think it is a problem limited to America. Greed exists worldwide. On Fri, Jul 9, 2021 at 8:48 AM mario juliano grande-balletta < mario.balle...@gmail.com> wrote: > Before anyone mentions "charity" and Bill Gates foundation > just remember how many good technology companies and software that > Microsoft destroyed with FUD tactics in the 80's, 90's, and > 2000's. > charity begins at home they say in America... > what about those few million employees who lost jobs, homes, cars, > savings because Microsoft destroyed their companies? what about > them? where was their charity? > In America it's all too common to use treachery, dishonesty in business > and politics to climb to the top, and destroy competition, and then > pretend to give to charitable causes... > pure hypocrisyblatant hypocrisy > I for one cannot be bought, never.. > as a veteran and so many other things, I will never surrender to > corporate bullying from anyone, including Amazon, I left AWS for > similar reasons.. > I am proud to say I have not used a Windows OS since > 1995and still refuse to this day to allow any Microsoft > devices attach to my SOHO networks... > same for Apple and IBM and Oracle. > freedom is more than an idea, more than a principle, it is a lifestyle > too! > > > > > > > On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta wrote: > > This is what I remember about evil > > Microsoft... > > In 1992, Microsoft released Windows NT, and advertised it as the > > greatest operating system and began giving away free licenses to > > colleges and universities and hiring public relations firms to > > publish phony surveys and results to prove Windows NT was better than > > Novell NetWare or any other OS. Meanwhile, it took 4 years for > > Microsoft to finally install Windows NT at their HQ in Redmond, > > Washington. Why so long? Because they were successfully running > > Novell NetWare, the same NetWare that Microsoft was slowly destroying > > with FUD in the tech journals and media with phony surveys. > > Someone here said a leopard never changes his spots, KUDOS Sir! > > Microsoft is a cancer, a cancer to freedom, a cancer to innovation > > and always was, who didn't they destroy back in the 90's and early > > 2000's? They stole Word from WordPerfect, they stole Office from > > Borland, and Excel was plagiarized from Lotus 1-2-3. > > Microsoft deserves to be hacked and destroyed and is the epitome of > > the most evil and treacherous an American corporation can > > become. > > I HATE MICROSOFT and so do many others who survived their FUD tactics > > from the 90's. Some of you weren't even born yet... > > I know Gates and Ballmer and company all to welllong before the > > documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". > > Any efforts they make toward linux are for control and never for > > freedom or innovation. Control, power, greed are their only goals, > > always. > > WAKE UP! > > > > > > > > > > > > > > > > On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote: > > > Zitat von Kaushal Shriyan : > > > Hi, > > > I have 20 Linux servers in the network. Is there a way to audit all > > > Linuxclients using a centralized server? For example, what commands > > > are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and > > > so forth totrack user activity. Which files have been modified or > > > edited or commandsetc.. by the users. > > > I have installed auditd, but it is local to the Linux server.Thanks > > > in advance. > > > > > > Hallo,what is about ansible for example.Ralf > > > > > > > > > ___CentOS mailing > > > listcen...@centos.org > > > https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
https://youtu.be/Kwma71yl8mU On Fri, 2021-07-09 at 08:47 -0400, mario juliano grande-balletta wrote: > Before anyone mentions "charity" and Bill Gates > foundation > just remember how many good technology companies and software that > Microsoft destroyed with FUD tactics in the 80's, 90's, and > 2000's. > charity begins at home they say in America... > what about those few million employees who lost jobs, homes, cars, > savings because Microsoft destroyed their companies? what about > them? where was their charity? > In America it's all too common to use treachery, dishonesty in > business and politics to climb to the top, and destroy competition, > and then pretend to give to charitable causes... > pure hypocrisyblatant hypocrisy > I for one cannot be bought, never.. > as a veteran and so many other things, I will never surrender to > corporate bullying from anyone, including Amazon, I left AWS for > similar reasons.. > I am proud to say I have not used a Windows OS since > 1995and still refuse to this day to allow any Microsoft > devices attach to my SOHO networks... > same for Apple and IBM and Oracle. > freedom is more than an idea, more than a principle, it is a > lifestyle too! > > > > > > > > On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta > wrote: > > This is what I remember about evil > > Microsoft... > > In 1992, Microsoft released Windows NT, and advertised it as the > > greatest operating system and began giving away free licenses to > > colleges and universities and hiring public relations firms to > > publish phony surveys and results to prove Windows NT was better > > than Novell NetWare or any other OS. Meanwhile, it took 4 years > > for Microsoft to finally install Windows NT at their HQ in Redmond, > > Washington. Why so long? Because they were successfully running > > Novell NetWare, the same NetWare that Microsoft was slowly > > destroying with FUD in the tech journals and media with phony > > surveys. > > Someone here said a leopard never changes his spots, KUDOS Sir! > > Microsoft is a cancer, a cancer to freedom, a cancer to innovation > > and always was, who didn't they destroy back in the 90's and early > > 2000's? They stole Word from WordPerfect, they stole Office from > > Borland, and Excel was plagiarized from Lotus 1-2-3. > > Microsoft deserves to be hacked and destroyed and is the epitome of > > the most evil and treacherous an American corporation can > > become. > > I HATE MICROSOFT and so do many others who survived their FUD > > tactics from the 90's. Some of you weren't even born > > yet... > > I know Gates and Ballmer and company all to welllong before the > > documentaries "Pirates Of Silicon Valley" and "Triumph Of The > > Nerds". > > Any efforts they make toward linux are for control and never for > > freedom or innovation. Control, power, greed are their only goals, > > always. > > WAKE UP! > > > > > > > > > > > > > > > > On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote: > > > Zitat von Kaushal Shriyan : > > > Hi, > > > I have 20 Linux servers in the network. Is there a way to audit > > > all Linuxclients using a centralized server? For example, what > > > commands are run byJohn on Linuxnode1? Steve on Linuxnode15? and > > > so on and so forth totrack user activity. Which files have been > > > modified or edited or commandsetc.. by the users. > > > I have installed auditd, but it is local to the Linux > > > server.Thanks in advance. > > > > > > Hallo,what is about ansible for example.Ralf > > > > > > > > > ___CentOS mailing > > > listcen...@centos.org > > > https://lists.centos.org/mailman/listinfo/centos > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
Before anyone mentions "charity" and Bill Gates foundation just remember how many good technology companies and software that Microsoft destroyed with FUD tactics in the 80's, 90's, and 2000's. charity begins at home they say in America... what about those few million employees who lost jobs, homes, cars, savings because Microsoft destroyed their companies? what about them? where was their charity? In America it's all too common to use treachery, dishonesty in business and politics to climb to the top, and destroy competition, and then pretend to give to charitable causes... pure hypocrisyblatant hypocrisy I for one cannot be bought, never.. as a veteran and so many other things, I will never surrender to corporate bullying from anyone, including Amazon, I left AWS for similar reasons.. I am proud to say I have not used a Windows OS since 1995and still refuse to this day to allow any Microsoft devices attach to my SOHO networks... same for Apple and IBM and Oracle. freedom is more than an idea, more than a principle, it is a lifestyle too! On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta wrote: > This is what I remember about evil > Microsoft... > In 1992, Microsoft released Windows NT, and advertised it as the > greatest operating system and began giving away free licenses to > colleges and universities and hiring public relations firms to > publish phony surveys and results to prove Windows NT was better than > Novell NetWare or any other OS. Meanwhile, it took 4 years for > Microsoft to finally install Windows NT at their HQ in Redmond, > Washington. Why so long? Because they were successfully running > Novell NetWare, the same NetWare that Microsoft was slowly destroying > with FUD in the tech journals and media with phony surveys. > Someone here said a leopard never changes his spots, KUDOS Sir! > Microsoft is a cancer, a cancer to freedom, a cancer to innovation > and always was, who didn't they destroy back in the 90's and early > 2000's? They stole Word from WordPerfect, they stole Office from > Borland, and Excel was plagiarized from Lotus 1-2-3. > Microsoft deserves to be hacked and destroyed and is the epitome of > the most evil and treacherous an American corporation can > become. > I HATE MICROSOFT and so do many others who survived their FUD tactics > from the 90's. Some of you weren't even born yet... > I know Gates and Ballmer and company all to welllong before the > documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". > Any efforts they make toward linux are for control and never for > freedom or innovation. Control, power, greed are their only goals, > always. > WAKE UP! > > > > > > > > On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote: > > Zitat von Kaushal Shriyan : > > Hi, > > I have 20 Linux servers in the network. Is there a way to audit all > > Linuxclients using a centralized server? For example, what commands > > are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and > > so forth totrack user activity. Which files have been modified or > > edited or commandsetc.. by the users. > > I have installed auditd, but it is local to the Linux server.Thanks > > in advance. > > > > Hallo,what is about ansible for example.Ralf > > > > > > ___CentOS mailing > > listcen...@centos.org > > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
This is what I remember about evil Microsoft... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to colleges and universities and hiring public relations firms to publish phony surveys and results to prove Windows NT was better than Novell NetWare or any other OS. Meanwhile, it took 4 years for Microsoft to finally install Windows NT at their HQ in Redmond, Washington. Why so long? Because they were successfully running Novell NetWare, the same NetWare that Microsoft was slowly destroying with FUD in the tech journals and media with phony surveys. Someone here said a leopard never changes his spots, KUDOS Sir! Microsoft is a cancer, a cancer to freedom, a cancer to innovation and always was, who didn't they destroy back in the 90's and early 2000's? They stole Word from WordPerfect, they stole Office from Borland, and Excel was plagiarized from Lotus 1-2-3. Microsoft deserves to be hacked and destroyed and is the epitome of the most evil and treacherous an American corporation can become. I HATE MICROSOFT and so do many others who survived their FUD tactics from the 90's. Some of you weren't even born yet... I know Gates and Ballmer and company all to welllong before the documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". Any efforts they make toward linux are for control and never for freedom or innovation. Control, power, greed are their only goals, always. WAKE UP! On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote: > Zitat von Kaushal Shriyan : > Hi, > I have 20 Linux servers in the network. Is there a way to audit all > Linuxclients using a centralized server? For example, what commands > are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and so > forth totrack user activity. Which files have been modified or edited > or commandsetc.. by the users. > I have installed auditd, but it is local to the Linux server.Thanks > in advance. > > Hallo,what is about ansible for example.Ralf > > > ___CentOS mailing > listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
Zitat von Kaushal Shriyan : Hi, I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc.. by the users. I have installed auditd, but it is local to the Linux server. Thanks in advance. Hallo, what is about ansible for example. Ralf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Auditing all Linux clients with centralised server
A cut-and-paste from my Wiki: ---%< Remote logging Auditing, particularly from compute nodes, may be centralised to reduce the number of files needed to get a view of the cluster. Server The server machine must be configured to accept messages and must have a large enough logging area to store the records. The server listens on port 60. Configure this as tcp_listen_port in /etc/audit/auditd.conf. The server must only accept messages from a privileged port. If this is not done any userland process could inject nefarious messages. It is safe to configure the server to accept messages from any privileged port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf. On the server increase tcp_listen_queue to 16 to ensure enough requests for connections can be handled during a power-on bootup. You will need to restart the daemon for these changes to come into effect. Clients The client machines may either forward messages at once or else batch them up in a queue. Generally machines with local storage should use the queue which preserves the log in the event of a crash. You will need to restart the daemon for all these changes to come into effect: systemctl restart auditd. Ensure the appropriate software and configuration is loaded: # yum install audisp-remote. /etc/audisp/audisp-remote.conf The client needs to know where, and to which port to send messages. As mentioned above, the client must send from a privileged port. remote_server= port=60 local_port=61 On diskless clients set mode=immediate, on other clients set mode=forward. Accept the defaults for queue_file and queue_depth. /etc/audisp/plugins.d/au-remote.conf By default the dispatcher is configured off, therefore remember to set active=yes to turn on the remote logging. /etc/audit/auditd.conf Once you are happy with the logging, turn off the local copy. For CentOS C7.3 and later machines use: local_events = no log_format = RAW --%< I have not tested this recently, it was last running (IIRC) on C6/7, so proceed with caution. Regards, Martin On 09/07/2021 08:08, Kaushal Shriyan wrote: Hi, I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc.. by the users. I have installed auditd, but it is local to the Linux server. Thanks in advance. Best Regards, Kaushal ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- J Martin Rushton MBCS ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Auditing all Linux clients with centralised server
Hi, I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc.. by the users. I have installed auditd, but it is local to the Linux server. Thanks in advance. Best Regards, Kaushal ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos