Hi, I'm primarily an applications developer, though I wear a sys-admin/security-admin hat when necessary. I've done kernel hacking on V-7 and System-3 in the bad old days, but mostly stick in userland now.
My current goal is to get some OpenSuse 10.1 systems DSS certified. I've been a RedHat user since about RH4 or 5, but this project decided to standardize on SuSE. My focus for using auditd isn't so much to make a truly secure and well audited system, but to answer the specific DSS/NISPOM Chapter 8 requirements. SuSE supports AppArmor and the auditd security products, but has very little SELinux support. As I read things, AppArmor doesn't support the file audit requirements, but Auditd can meet the DSS requirements. I've updated the standard SuSE 10.1 kernel to 2.6.17.6 and brought in the 3.0 glibc kernel headers. With these hacks, I can get the 1.2.5 auditd package to compile and install. It appears to be working. Auditd 1.2.5 doesn't quite do what I need, but I'm getting close. It has the framework, but it seems to take a little work to get the answers I really want, and to handle the requirements for record maintenance. 1) Auditing and reporting I've copied the SYSCALL rules from the capp.rules sample, and I think that covers what DSS will need audited. (Still checking and confirming that I haven't missed anything obvious.) To get the answers I wanted a bit more easily, I've made a GUI based search tool that lets me specify reports with a bit more precision and build customized reports. It's functional code, but is not pretty, and gets pretty ugly when the data is way outside what I expected. 2) Maintaining records The traditional log-rotate with N logs makes it difficult to keep X days of logs. When the system is busy, I can rotate the logs every 10 minutes. I've put together a small cron job that looks for audit.log.1, filters out some data I know I won't want, and zips it into a file with a name based on the timestamp. My current report generator builds an SQLite database on the fly from the flat ASCII logs. I'm thinking that the next rev of the file rotation code will move the data to an SQLite database instead of gzipped flat files and save that step. I'm using SQLite instead of mySQL or Postgres because it it's fast, mature and robust and doesn't require any database server (or dbadmin) to run it. I put together a small audisp test application to read from stdin and save data in a timestamped file. When I run this, I get nothing but empty reads, and finally an EOF from auditd. I'm expecting to see plain ASCII input. Is this not what is sent to the audisp target? I just tried the sample.c application, compiled it to a.out and put that into the auditd.conf file. When I restart audispd, I see no output in /var/log/messages, and a.out does not show in the process stack. If I just run /tmp/a.out and type something, output appears in /var/log/messages. If any of this is of interest or use, let me know, and I'll make it available to the community. Thanks, Clif -- .... Clif Flynt ... http://www.cflynt.com ... [EMAIL PROTECTED] ... .. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman .. ..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL .. ............. http://www.tcl.tk/community/tcl2006/ ............ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
