[SOLVED] auditd.conf or audit.rules sanity checker

Support for security such as Firewalls and securing linux
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] auditd.conf or audit.rules sanity checker

Post by warron.french » 2016/03/10 14:19:03

I know that for BIND, there is a tool that enables the administrator to check the configurations and syntax in files for DNS Zone files.

Is there such a tool for validating syntax for auditd.conf or audit.rules files as well on CentOS-6.6?

I need a tool that can sanity check my audit.rules files to make sure that something isn't malformed (poorly written) by me so that I can be assured the auditd daemon will successfully start up and run. This fault has caused me a major issue on a system that is going to "go live" with real users on it soon, since last June. You might logically argue, why not back out the last change; that's a valid point, but now that is has been nearly 10 monthsI don't know what change broke the AUDIT subsystem.

Thanks for any guidance and direction, in advance,
Last edited by warron.french on 2016/04/13 23:09:48, edited 2 times in total.
Thanks,
War

User avatar
dmunk
Posts: 37
Joined: 2016/03/16 03:33:49

Re: auditd.conf or audit.rules sanity checker

Post by dmunk » 2016/03/17 04:40:40

Just try to load the rules. The man page for auditctl states :

Code: Select all


CONFIGURATION OPTIONS
       -b backlog
              Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.

       --backlog_wait_time wait_time
              Set  the  time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that
              10 times the default value.

READ ME    -c     Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load.


Your talking about if you have typos for the syscalls and 32 bit and 64 bit rules right? That should help.

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: auditd.conf or audit.rules sanity checker

Post by warron.french » 2016/03/18 14:05:48

Hello dmunk,

I do not want to seem ungreatful, but I did see those switches. I believe they don't quite answer my question about how to do a proper syntax/sanity check on the audit.rules content (the actual rules), they more or less help with changing the buffer size of audit logdata, and whether or not to report errors to the screen; they do not help me to test the rules before the rules are in "full motion" if I use those 2 options.

Perhaps I am missing something, could you please clarify in the case I am not understanding what you are suggesting would be the result?
Thanks,
War

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: auditd.conf or audit.rules sanity checker

Post by warron.french » 2016/03/18 15:59:53

I have an answer directly from Steve Grubb himself who (I think) writes/edits the audit software from Red Hat.

He said to perform:

auditctl -l to confirm what rules have been loaded, and
auditctl -s to confirm the proper running status of the audit service.

To test whether or not watches (those lines of syntax with -w in the front) are functioning properly, and to test:
Access the file in a manner that triggers the particular -w arguments file with the -p settings (rwx) and then perform an ausearch command to see a record has been produced.
Thanks,
War

User avatar
dmunk
Posts: 37
Joined: 2016/03/16 03:33:49

Re: [SOLVED] auditd.conf or audit.rules sanity checker

Post by dmunk » 2016/03/20 15:15:56

warrion.french,

I must have misunderstood. I have in the past attempted a rules load to see if the syntax was correct. Also, I have never messed with the buffer settings or anything. I am guessing that is what you are more interested in with the question? Not sure. In short, if it is just a question of " Are my rules functional?" , then loading will show the breaks. As stated above, have a test directory and test file can help on tuning.

To be clear, I use the default rules with cent 7 now. I have had rules that watch for sockets being opened using file / directories that I wanted to know about. However, never worked with the buffer settings or anything that actually controlled the auditd engine outside of the rules themselves. Sorry I could not be of more assistance.

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: [SOLVED] auditd.conf or audit.rules sanity checker

Post by warron.french » 2016/04/13 23:11:37

dmunk wrote:warrion.french,

I must have misunderstood. I have in the past attempted a rules load to see if the syntax was correct. Also, I have never messed with the buffer settings or anything. I am guessing that is what you are more interested in with the question? Not sure. In short, if it is just a question of " Are my rules functional?" , then loading will show the breaks. As stated above, have a test directory and test file can help on tuning.

To be clear, I use the default rules with cent 7 now. I have had rules that watch for sockets being opened using file / directories that I wanted to know about. However, never worked with the buffer settings or anything that actually controlled the auditd engine outside of the rules themselves. Sorry I could not be of more assistance.
dmunk, thanks for replying anyway. I did appreciate the reply and extra thoughts. Your method of loading the rules is essentially satisfied by using the auditctl -l command.
Thanks,
War

Post Reply