Replies are in-line with responses. Warron French, MBA, SCSA
-----Original Message----- From: Steve Grubb [mailto:[email protected]] Sent: Tuesday, May 10, 2016 9:25 AM To: [email protected]; [email protected] Cc: Warron S French <[email protected]> Subject: Re: audit-tools and SUDO On Tuesday, May 10, 2016 10:52:21 PM Burn Alting wrote: > On Tue, 2016-05-10 at 12:31 +0000, Warron S French wrote: > > Good morning everyone, > > > > > > > > I am working on an environment where I have managed to get > > centralized audit logging to work – roughly 95% properly on six (6) > > CentOS-6.7 workstations and a single (1) CentOS-6.7 server. > > > > > > > > I have two problems though; and they seem somewhat minor: > > > > > > > > 1. The audit events being captured don’t seem to be tied to any > > given node (so that I can perform ausearch --node hostName, or > > aureport), that’s the first issue. > > What have you set the configuration parameter 'name_format' > in /etc/audit/auditd.conf to? > > One assumes you may want to set > name_format = fqd > or > name_format = hostname > > After the change on each host, don't forget to reload the > configuration with either a sighup on the auditd process or just restart the > service. On the lab-clients ends: In, and ONLY IN, my /etc/audisp/audispd.conf file have I set name_format=hostname, where hostname is a literal string of 'hostname' not THE hostname; there is no name_format reference in any other file on my lab-client machines under the directory /etc/audisp/ anywhere. Also on my lab-client machines in the /etc/audit/auditd.conf file the name_format variable is set to NONE. On the lab-server end: In the only file that I modified, /etc/audit/auditd.conf, the only variables that I altered were: tcp_listen_port = 60 tcp_client_ports = 60 use_libwrap = no (because I am using iptables) The lab works as expected, but my production environment does not. %-/ This would set it for the local logs. And you would need to do this on the server that is aggregating the logs. (I think I forgot to mention that last week.) But for the workstations, you have to set name_format in audispd.conf. > > 2. The second issue is that I need to configure sudo to enable my > > Special Security Team with the ability to perform their duties using > > the aureport and the ausearch commands, but I get an error that > > appears to be based on permissions. > > I recommend you show the command and resultant error in situations > like this. That way we can provide a more informed response. One approach some people take is to use the log_group setting in auditd.conf. If there is a group that the security people belong to that others don't, then using that group name for log_group this is the easiest way and exactly why this option exists. -Steve Thanks for this Steve, I am going to engage the Special Security Team, because I have thought of another approach - making the auditors group become a local (/etc/group) file entry instead of using 389-ds to manage this association; that way it will always be reliable. > > I am hoping that you guys can steer me in the correct direction; and > > I can update my documentation to be even a little more thorough. > > > > Scenario2, might be more of a membership issue now that I think > > about it; so please disregard as I think this is some weird 389-ds issue. > > > > I am hoping though that someone can suggest a reason why, when I > > look directly at the content of the /var/log/audit/audit.log I am > > not see any references to node=hostname1, hostname2 .. hostnameN? > > Maybe I did misconfigure something, but I followed my own instructions to > > the “T” > > and they didn’t produce this issue. > > > > > > > > > > > > > > > > Thank you in advance for your precious time sincerely, > > > > > > > > Warron French, MBA, SCSA > > > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
