Linux / UNIX Tech Support Forum
This is a discussion on Linux Auditing Problems - log file getting large within the Networking, Firewalls and Security forums, part of the Mastering Servers category; I have yet to find a truly comprehensive solution to auditing Linux to meet NISPOM or DCID government requirements.I have ...
|
|||||||
| Networking, Firewalls and Security No it's not a secret. Talk about firewalls and security issues. |
![]() |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
|
I have yet to find a truly comprehensive solution to auditing Linux to meet NISPOM or DCID government requirements.I have a Red Hat Enterprise 4 WS with SElinux enabled. When I tweak the /etc/audit.rules file using auditctl, I get "invalid argument" for "-w" and "-pa" even though the man pages say this should work. I even tried using the /usr/share/doc/audit-1.2.1/capp.rules file, same problems. not to mention my audit log gets so full so fast on garbage.I then installed Snare. Not impressed, glorified GUI which just regurgitates the raw audit log. How can I configure auditing to only look at FAILED executable access/run attempts?How can I configure auditing to look for FAILED attempts to access specific files?Am I missing a piece to this puzzle? Any help is appreciated.
|
| Sponsored Links | ||
|
|
|
||||
|
You need to use ausearch and aureport commands to search log files. For example display all failed attempts
Code:
ureport -f -i --summary --failed Article about audit log visualization Audit System FAQ Linux audit files to see who made changes to a file | nixCraft Let me know if you need any further help!
__________________
Vivek Gite Linux Evangelist |
|
|||
|
Thanks. I'll try that. Still can't figure out why the rules I try to add to audit.rules won't take. Still get "invalid argument" to place watches on files.
|
|
|||
|
Can you paste your complet rule here so that I can look at it...
|
|
|||
|
I created a dummy account, tried deleted and modifying the /etc/shadow file (which I couldn't - got permission denied).
I then logged back in as root and did the command you suggested. it found nothing. Is the SElinux module screwing things up? I disabled it and rebooted, no change. I even removed SNARE. No change. Thanks for any advice. |
|
|||
|
From # prompt, I did this and got the below messages:
auditctl -w /etc/auditd.conf -p wa permission option no longer supported error sending add rule request (invalid argument) auditctl -w /etc/auditd.conf error sending add rule request (invalid argument) It won't let me add rules. The capp.rules file I found is full of the above commands for various security relevant files. Each line with -w or -p says invlaid argument when I restart AUDITD. I restored the original audit.rules file 9whcih I saved) and did the above - No change. audit.rules has these lines by default: -D -b 256 that's it. |
|
|||
|
FYI - With SNARE off (disabled dispatcher in auditd.conf), the audit log sizes are manageable. When I turn Snare back on, I get 30-40 MB on a reboot alone.
Here are some of the "failures" that Snare reports (on a reboot): Failed File Summary Report =========================== total file =========================== 699 /root/Templates 351 /dev/sda 10 /usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo 10 /usr/share/locale/en_US/LC_TIME/coreutils.mo 10 /usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo 10 /usr/share/locale/en.utf8/LC_TIME/coreutils.mo 10 /usr/share/locale/en/LC_TIME/coreutils.mo 10 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo 10 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo 10 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo 10 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo 10 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo 10 /usr/share/locale/en/LC_MESSAGES/coreutils.mo 9 /usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo 2 /dev/tty 2 /lib/security/$ISA/pam_deny.so 2 /usr/share/locale/en/LC_MESSAGES/util-linux.mo 2 /usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo 2 /usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo 2 /usr/share/locale/en_US/LC_MESSAGES/util-linux.mo 2 /usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo 2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo 1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo 1 /usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo 1 /usr/share/locale/en_US/LC_MESSAGES/libc.mo 1 /usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo 1 /usr/share/locale/en.utf8/LC_MESSAGES/libc.mo 1 /usr/share/locale/en/LC_MESSAGES/libc.mo 1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/initscripts.mo 1 /usr/share/locale/en_US.utf8/LC_MESSAGES/initscripts.mo 1 /usr/share/locale/en_US/LC_MESSAGES/initscripts.mo 1 /usr/share/locale/en.UTF-8/LC_MESSAGES/initscripts.mo 1 /usr/share/locale/en.utf8/LC_MESSAGES/initscripts.mo 1 /usr/share/locale/en/LC_MESSAGES/initscripts.mo 1 /lib/security/$ISA/pam_env.so 1 /lib/security/$ISA/pam_unix.so 1 /lib/security/$ISA/pam_smb_auth.so 1 /lib/security/$ISA/pam_succeed_if.so 1 /lib/security/$ISA/pam_permit.so 1 /lib/security/$ISA/pam_cracklib.so 1 /lib/security/$ISA/pam_limits.so I can't understand why these are failures. Right now I have to leave Snare (dispatcher) disabled. |
|
|||
|
This may be of importance - I did NOT install the SNARE Kernel because Security Alliance has not posted a version yet for my kernel version 2.6.9-42. All they have is 2.6.9-34. Could this be my problem? I am trying to erase Snare completely right now. I may have to rebuild without it and start from there.
|
|
|||
|
Re-installed Redhat Linux 4 from scratch and re-traced some install steps. Not sure if issue between audit-1.0.15 an 1.2 or not. Discovered that you should NOT install the Snare CORE AND the agenct. Most likely the culprit. Thanks for the help anyway.
Now to see if I can get some files to pull in the audit log. |
![]() |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) |
|
| Thread Tools | |
| Display Modes | |
|
|
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| HPUX Unix comparing 2 large files line by line | raj | HP-UX | 1 | 11-02-2008 05:20 PM |
| why can't forward large email attachment? | khaosregion | Mail Servers | 4 | 25-10-2007 11:49 PM |
| PHPMyAdmin Problems | JoeDively | Coding in General | 0 | 21-09-2007 09:30 PM |
| nfs problems | marros | Linux software | 2 | 21-10-2006 01:30 AM |
| Program gets aborted on large input | Ssk | Linux software | 7 | 14-03-2005 11:04 AM |