Auditing

Support for security such as Firewalls and securing linux
Post Reply
Jennercramer
Posts: 1
Joined: 2018/02/15 19:55:37

Auditing

Post by Jennercramer » 2018/02/15 20:05:40

Greetings! I work in a security role and recently we had some users start using CentOS 7. They are VMs run through vSphere. I have been tasked with monitoring these workstations along with all of the windows workstations we already have. We have already set up syslog forwarding on the box to our server, and that is working fine. My issue is that we are not getting the types of events we need to be getting. Here is a list of the events they are requesting I audit.

-Use of privileged/Special rights
-Role Escalation
-Audit and Security relevant log data
-Printing to device and to file
-Application Initialization

I started trying to put together some customer rules for the audit.rules file, but it doesn't seem like I entered them correctly. Any advice would be great as I am having issues finding other forums relating to this.

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: Auditing

Post by MartinR » 2018/02/16 10:45:06

Go to /usr/share/doc/audit-2.7.6 (the 2.7.6 may be lower depending upon how up to date you are). Have a look at the README and then go to the subdirectory and read the README-rules file there.

--Edit

I forgot to say, read /etc/auditd.conf and see where the log file is. Typically audit events are sent to /var/log/audit/audit.log, so you may be auditing but not forwarding the events. If you redirect the events to the system log, you will need to change the log_format and this imposes a load on the client machine.

Post Reply