topic Re: Plz help me to configure auditing in Operating System - Linux

Plz help me to configure auditing

Maaz — Mon, 10 Jul 2006 14:21:47 GMT

os: rhel 4

I wana audit .. if any new directory created under /etc. for that I configure auditing, and then create a new directory under /etc, but i didnt find that a new directory has been created under /etc.

I want to audit if a new directory is created under /etc.
I create a filter in /etc/filter.conf,(http://maconlinux.net/linux-man-pages/en/audit-filter.conf.5.html) .

#cat /etc/filter
predicate is-etc = prefix(/etc);
syscall mkdir = is-etc(arg0);

#service auditd start
#mkdir /etc/test
#ureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log: 07/09/2006 23:54:16.141 - 07/10/2006 00:46:58.453

#aureport -s

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================

#aureport -r

Response to Anomaly Report
==============================
# date time type success event
==============================

I also check /var/log/audit/audit.log but it also doesnt show any evidence that someone has created a directory undr /etc

Plz help

Regards
Maaz

Re: Plz help me to configure auditing

Ivan Ferreira — Mon, 10 Jul 2006 14:26:10 GMT

If file creation is your concern, you maybe want to use Tripwire. Tripwire will report any changes to files and directories.

Re: Plz help me to configure auditing

Ivan Ferreira — Mon, 10 Jul 2006 18:28:41 GMT

Searching a little more about Red Hat's auditd, I have found that when you start the audit daemon, the /etc/audit.rules file is read to specify what to audit, and does not look like the filter you specified. Try this, edit the /etc/audit.rules file and add:

-w /etc -p wa -k CFG_etc

Re: Plz help me to configure auditing

Maaz — Thu, 13 Jul 2006 13:32:48 GMT

First of All Millions of Thanks Dear Mr Ivan Ferreira for help.

I add th "-w /etc -p wa -k CFG_etc" in /etc/audit.rules
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)There was an error in line 14 of /etc/audit.rules

-w /etc -p wa -k CFG_etc ... what will this line do ? and where should I check ?

And plz also know me abt any good tutorial to configure the audit deamon.

Regards
Maaz

Re: Plz help me to configure auditing

Ivan Ferreira — Thu, 13 Jul 2006 14:56:39 GMT

Bad notice, I have not found any document that could help you in this, I just checkec the documentation that comes with the package located in /usr/shared/doc/audit-, there you will see some samples.

Also you should check the man of auditctl and suscribe to the mailling list.

In the man of auditctl you can read that a whole directory as argument maybe is not supported, so, why don't you try with a file first? for example:

-w /etc/hosts -p wa -k CFG_hosts

Then modify the files and run the aureport.

Re: Plz help me to configure auditing

Maaz — Sun, 16 Jul 2006 07:08:29 GMT

Many Thanks Dear Mr Ivan Ferriera.
I add the following into /etc/audit.rules
-w /etc/hosts -p wa -k CFG_hosts
then
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
then I edit /etc/hosts, nothing shows in /var/log/audit-/audit.log.

SOLUTION:
I simply upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL. Its working ;). that is if i now edit /etc/hosts, and then check in audit.log it will show the status... likewise
ausearch -i -p pid, will aslo show the appropriate results

I think this is a bug in 2.6.9-5.EL .. isint ?

Regards
Maaz

Re: Plz help me to configure auditing

Steven E. Protter — Sun, 16 Jul 2006 09:04:05 GMT

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases drom anybody.

SEP

Re: Plz help me to configure auditing

Steven E. Protter — Sun, 16 Jul 2006 09:04:20 GMT

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases from anybody.

SEP

Re: Plz help me to configure auditing

Maaz — Mon, 17 Jul 2006 13:51:57 GMT

>It does indeed seem like a bug in the >kernel, if thats the only action you took >to fix it.
Yes thats the only thing i did(i.e upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL)

>Not surprising, I've learned never to >trust dot zero releases drom anybody.
If u can plz explain.... I just didnt get u ;(

Regards
Maaz

Re: Plz help me to configure auditing

Maaz — Mon, 17 Jul 2006 14:01:50 GMT

>If file creation is your concern, you >maybe want to use Tripwire. Tripwire will >report any changes to files and >directories.

Dear Ivan Thanks for giving the precious advise.
I download the "tripwire-2.4.0.1-src.tar.bz2" untar/unzip then
#cd tripwire-2.4.0-1
#./configure ... ok
#make .... ok
#make install ... I got the error ... output file of "make install" is attached

Re: Plz help me to configure auditing

Ivan Ferreira — Mon, 17 Jul 2006 14:21:01 GMT

Try this:

ftp.silfreed.net/repo/rhel/4/i386/silfreednet/RPMS/tripwire-2.3.1-22.el4.i386.rpm

Re: Plz help me to configure auditing

Ivan Ferreira — Mon, 17 Jul 2006 14:23:07 GMT

Forgot to methion that tripwire will report added/changed/removed files, but it will not report who made the changes.

Re: Plz help me to configure auditing

CrackerJack1618 — Wed, 16 May 2007 16:05:51 GMT

To fix Tripwire v2.4 to compile right, do this between MAKE and MAKE INSTALL. There is a bug in the install scripts. make sure you are in your directory where you unpacked the installation files.

ln -s contrib install