Central audit logging

Support for security such as Firewalls and securing linux
Post Reply
mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Central audit logging

Post by mntbighker » 2015/04/30 00:57:54

I have central audit logging set up using audisp-remote. I'm also piping the log file into graylog (port 15514).

rsyslog.conf:
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag Auditd
$InputFileStateFile /var/spool/rsyslog
$InputFileFacility local4
$InputRunFileMonitor
local4.* @@127.0.0.1:15514

Two things remain an issue for me. I need to figure out the SELinux context needed to allow rsyslog into /var/log/audit:

Code: Select all

OSSEC HIDS Notification.
2015 Apr 29 17:10:15

Received From: graylog->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 29 17:10:13 graylog Auditd node=xxx.xxx.xxx.gov type=AVC msg=audit(1430352603.306:2871): avc:  denied  { read } for  pid=1128 comm="rsyslogd" path="/var/log/audit/audit.log" dev=dm-3 ino=20971532 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2015 Apr 29 17:10:15

Received From: graylog->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 29 17:10:13 graylog Auditd node=xxx.xxx.xxx.gov type=AVC msg=audit(1430352603.306:2872): avc:  denied  { getattr } for  pid=1128 comm="rsyslogd" path="/var/log/audit/audit.log" dev=dm-3 ino=20971532 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
And I wonder about altering the setup to have audit file names written based on hostname. However this will complicate the graylog setup, and I do have graylog extractors that pick out the client hostname. The issue may be if the audit files are needed for forensics and we have 10 clients audit records lumped into single files. Presumably the IG will want to use the audit tools and not graylog.

I would like to switch the log collector back to SELinux enforcing, as per the federal security guidelines. But this must be resolved first.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Central audit logging

Post by aks » 2015/04/30 16:42:30

A quick way is to use audit2allow (see https://access.redhat.com/documentation ... allow.html).
The constraint here is that you may allow more than is necessary, but if you just want to get up and running fairly quickly just use that.

mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Re: Central audit logging

Post by mntbighker » 2015/04/30 21:25:01

aks wrote:A quick way is to use audit2allow (see https://access.redhat.com/documentation ... allow.html).
The constraint here is that you may allow more than is necessary, but if you just want to get up and running fairly quickly just use that.
Yeah, audit2allow can be more of a broad sword than a scalpel. But I guess the question is.. do you want to add the audit permission context to rsyslog, or add the rsyslog context to /var/log/audit/*? You might think that installing audispd-plugins might do that for you. But maybe that is a stretch. The general wisdom around the googleverse seems to be to disable SELinux.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Central audit logging

Post by aks » 2015/05/01 16:01:04

Yeah, I won't disable SELinux - see http://stopdisablingselinux.com/
Personally I'd look at the output from audit2allow and adjust what I think is required and use that (assuming I know how the applications(s) work).

Post Reply