On Friday, March 18, 2016 01:14:31 PM Warron S French wrote: > I have an issue, I believe, and I am asking for help on how to properly > address/assess it. > > I have been given guidance in support of auditing on CentOS-6.x systems: > > 1. To place various watch (-w) and action (-a) rules into place. > > 2. Make certain the configurations are immutable. > > Sometimes I have to add more rules, so I do that. However, I am not > certain if the rules are working properly, and I do know that I have broken > the auditd init-scripts on my systems a few times, and just commented out > the offending audit controls to work around/fix this very type of problem.
While you are experimenting, do not put in the -e 2 configuration option. > > > What I need to know is, since the configurations have to be immutable ( with > the -e 2) how can I properly start the audit service, and without any > inkling of a doubt be certain that the rules are in place and are > functioning properly? There is a rule listing command, -l, that will dump what the kernel has loaded. There is also a status command, -s, that will tell you if audit is enabled. If the rules are loaded and audit is enabled, its working. > Also, being a total novice, how can I test/trigger audit log actions on > watch and action rules to see that the rules are configured properly? If its a watch, then accessing the file and running ausearch should do it. If you have a syscall rule, then you have to trigger the syscall either by using a program or creating one. > Finally, is there a tool that will do a sanity check on the audit.rules file? auditctl reports any problems that it sees with the rules. > Or is the only option to attempt to restart the auditd service, and think > "It started, it worked!" is acceptable? List the rules and status the audit subsystem. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
