Default Audit

General support questions
Post Reply
jandvon
Posts: 3
Joined: 2018/04/09 13:21:14

Default Audit

Post by jandvon » 2018/04/09 13:54:58

If you DON'T modify the "audit.rules" does anybody know what gets audited (i.e., what rules get used?)

I'm looking at a system that appears to have the default, out-of-the-box "audit.rules." It clears the old rules and sets the buffer and that's about it. I'm trying to persuade the owners to configure that thing, but THEY ARE GETTING LOGs and they seem content.

I'm trying to assess if their approach is adequate, but try as I might, I can't find anything that tells me what gets audited if you don't configure the audit.rules.

Any help?

thanks

Jandvon

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Default Audit

Post by TrevorH » 2018/04/09 14:09:56

No idea if it's "adequate" but I've never had to change the audit rules at all.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: Default Audit

Post by MartinR » 2018/04/09 15:12:58

Use:

Code: Select all

# aureport -ts today
then ausearch on any events of interest. It mostly seems to be things like iptables which are explicitly asking auditd to record the event.

jandvon
Posts: 3
Joined: 2018/04/09 13:21:14

Re: Default Audit

Post by jandvon » 2018/04/09 15:35:48

Martin, Trevor - thanks
I think the "aureport -ts today" will be an interesting test.
I live in the US Government space and I'm used to seeing things like this:

## The purpose of these rules is to meet the stig auditing requirements
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/localtime -p wa -k time-change
## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Things that could affect system locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
## Things that could affect MAC policy
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
##- Discretionary access control permission modification (unsuccessful
## and successful use of chown/chmod)
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
##- Unauthorized access attempts to files (unsuccessful)
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

##- Use of print command (unsuccessful and successful)

##- Export to media (successful)
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

##- System startup and shutdown (unsuccessful and successful)

##- Files and programs deleted by the user (successful and unsuccessful)
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

##- All system administration actions
##- All security personnel actions
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: Default Audit

Post by MartinR » 2018/04/09 16:10:33

In that case you may want to use /usr/share/doc/audit-2.4.5/capp.rules. Assuming you have a /etc/audit/rules.d directory do:

Code: Select all

# cd /etc/audit/rules.d
# cp /usr/share/doc/audit-2.4.5/capp.rules .
# augenrules
- check it, and if you are happy # service auditd restart

Since this is the C6 forum, I'm assuming CentOS 6.9 and auditd 2.4.5. C7 is different! :(

jandvon
Posts: 3
Joined: 2018/04/09 13:21:14

Re: Default Audit

Post by jandvon » 2018/04/09 20:21:31

thanks again (yes version 6)

Post Reply