I know that for BIND, there is a tool that enables the administrator to check the configurations and syntax in files for DNS Zone files.
Is there such a tool for validating syntax for auditd.conf or audit.rules files as well on CentOS-6.6?
I need a tool that can sanity check my audit.rules files to make sure that something isn't malformed (poorly written) by me so that I can be assured the auditd daemon will successfully start up and run. This fault has caused me a major issue on a system that is going to "go live" with real users on it soon, since last June. You might logically argue, why not back out the last change; that's a valid point, but now that is has been nearly 10 monthsI don't know what change broke the AUDIT subsystem.
Thanks for any guidance and direction, in advance,
[SOLVED] auditd.conf or audit.rules sanity checker
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
[SOLVED] auditd.conf or audit.rules sanity checker
Last edited by warron.french on 2016/04/13 23:09:48, edited 2 times in total.
Thanks,
War
War
Re: auditd.conf or audit.rules sanity checker
Just try to load the rules. The man page for auditctl states :
Your talking about if you have typos for the syscalls and 32 bit and 64 bit rules right? That should help.
Code: Select all
CONFIGURATION OPTIONS
-b backlog
Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
--backlog_wait_time wait_time
Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that
10 times the default value.
READ ME -c Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load.
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: auditd.conf or audit.rules sanity checker
Hello dmunk,
I do not want to seem ungreatful, but I did see those switches. I believe they don't quite answer my question about how to do a proper syntax/sanity check on the audit.rules content (the actual rules), they more or less help with changing the buffer size of audit logdata, and whether or not to report errors to the screen; they do not help me to test the rules before the rules are in "full motion" if I use those 2 options.
Perhaps I am missing something, could you please clarify in the case I am not understanding what you are suggesting would be the result?
I do not want to seem ungreatful, but I did see those switches. I believe they don't quite answer my question about how to do a proper syntax/sanity check on the audit.rules content (the actual rules), they more or less help with changing the buffer size of audit logdata, and whether or not to report errors to the screen; they do not help me to test the rules before the rules are in "full motion" if I use those 2 options.
Perhaps I am missing something, could you please clarify in the case I am not understanding what you are suggesting would be the result?
Thanks,
War
War
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: auditd.conf or audit.rules sanity checker
I have an answer directly from Steve Grubb himself who (I think) writes/edits the audit software from Red Hat.
He said to perform:
auditctl -l to confirm what rules have been loaded, and
auditctl -s to confirm the proper running status of the audit service.
To test whether or not watches (those lines of syntax with -w in the front) are functioning properly, and to test:
Access the file in a manner that triggers the particular -w arguments file with the -p settings (rwx) and then perform an ausearch command to see a record has been produced.
He said to perform:
auditctl -l to confirm what rules have been loaded, and
auditctl -s to confirm the proper running status of the audit service.
To test whether or not watches (those lines of syntax with -w in the front) are functioning properly, and to test:
Access the file in a manner that triggers the particular -w arguments file with the -p settings (rwx) and then perform an ausearch command to see a record has been produced.
Thanks,
War
War
Re: [SOLVED] auditd.conf or audit.rules sanity checker
warrion.french,
I must have misunderstood. I have in the past attempted a rules load to see if the syntax was correct. Also, I have never messed with the buffer settings or anything. I am guessing that is what you are more interested in with the question? Not sure. In short, if it is just a question of " Are my rules functional?" , then loading will show the breaks. As stated above, have a test directory and test file can help on tuning.
To be clear, I use the default rules with cent 7 now. I have had rules that watch for sockets being opened using file / directories that I wanted to know about. However, never worked with the buffer settings or anything that actually controlled the auditd engine outside of the rules themselves. Sorry I could not be of more assistance.
I must have misunderstood. I have in the past attempted a rules load to see if the syntax was correct. Also, I have never messed with the buffer settings or anything. I am guessing that is what you are more interested in with the question? Not sure. In short, if it is just a question of " Are my rules functional?" , then loading will show the breaks. As stated above, have a test directory and test file can help on tuning.
To be clear, I use the default rules with cent 7 now. I have had rules that watch for sockets being opened using file / directories that I wanted to know about. However, never worked with the buffer settings or anything that actually controlled the auditd engine outside of the rules themselves. Sorry I could not be of more assistance.
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: [SOLVED] auditd.conf or audit.rules sanity checker
dmunk, thanks for replying anyway. I did appreciate the reply and extra thoughts. Your method of loading the rules is essentially satisfied by using the auditctl -l command.dmunk wrote:warrion.french,
I must have misunderstood. I have in the past attempted a rules load to see if the syntax was correct. Also, I have never messed with the buffer settings or anything. I am guessing that is what you are more interested in with the question? Not sure. In short, if it is just a question of " Are my rules functional?" , then loading will show the breaks. As stated above, have a test directory and test file can help on tuning.
To be clear, I use the default rules with cent 7 now. I have had rules that watch for sockets being opened using file / directories that I wanted to know about. However, never worked with the buffer settings or anything that actually controlled the auditd engine outside of the rules themselves. Sorry I could not be of more assistance.
Thanks,
War
War