HPE Community
Operating System - Linux
1823269 Members
3146 Online
109648 Solutions
New Discussion юеВ

Plz help me to configure auditing

 
SOLVED
Go to solution
Maaz
Valued Contributor

тАО07-10-2006 07:21 AM

тАО07-10-2006 07:21 AM

Plz help me to configure auditing

os: rhel 4

I wana audit .. if any new directory created under /etc. for that I configure auditing, and then create a new directory under /etc, but i didnt find that a new directory has been created under /etc.

I want to audit if a new directory is created under /etc.
I create a filter in /etc/filter.conf,(http://maconlinux.net/linux-man-pages/en/audit-filter.conf.5.html) .

#cat /etc/filter
predicate is-etc = prefix(/etc);
syscall mkdir = is-etc(arg0);

#service auditd start
#mkdir /etc/test
#ureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log: 07/09/2006 23:54:16.141 - 07/10/2006 00:46:58.453

#aureport -s

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================


#aureport -r

Response to Anomaly Report
==============================
# date time type success event
==============================


I also check /var/log/audit/audit.log but it also doesnt show any evidence that someone has created a directory undr /etc

Plz help

Regards
Maaz
0 Kudos
Reply
12 REPLIES 12
Ivan Ferreira
Honored Contributor

тАО07-10-2006 07:26 AM

тАО07-10-2006 07:26 AM

Re: Plz help me to configure auditing

If file creation is your concern, you maybe want to use Tripwire. Tripwire will report any changes to files and directories.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО07-10-2006 11:28 AM

тАО07-10-2006 11:28 AM

Solution

Re: Plz help me to configure auditing

Searching a little more about Red Hat's auditd, I have found that when you start the audit daemon, the /etc/audit.rules file is read to specify what to audit, and does not look like the filter you specified. Try this, edit the /etc/audit.rules file and add:

-w /etc -p wa -k CFG_etc
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Maaz
Valued Contributor

тАО07-13-2006 06:32 AM

тАО07-13-2006 06:32 AM

Re: Plz help me to configure auditing

First of All Millions of Thanks Dear Mr Ivan Ferreira for help.

I add th "-w /etc -p wa -k CFG_etc" in /etc/audit.rules
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)There was an error in line 14 of /etc/audit.rules

-w /etc -p wa -k CFG_etc ... what will this line do ? and where should I check ?

And plz also know me abt any good tutorial to configure the audit deamon.

Regards
Maaz
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО07-13-2006 07:56 AM

тАО07-13-2006 07:56 AM

Re: Plz help me to configure auditing

Bad notice, I have not found any document that could help you in this, I just checkec the documentation that comes with the package located in /usr/shared/doc/audit-, there you will see some samples.

Also you should check the man of auditctl and suscribe to the mailling list.

In the man of auditctl you can read that a whole directory as argument maybe is not supported, so, why don't you try with a file first? for example:

-w /etc/hosts -p wa -k CFG_hosts

Then modify the files and run the aureport.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Maaz
Valued Contributor

тАО07-16-2006 12:08 AM

тАО07-16-2006 12:08 AM

Re: Plz help me to configure auditing

Many Thanks Dear Mr Ivan Ferriera.
I add the following into /etc/audit.rules
-w /etc/hosts -p wa -k CFG_hosts
then
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
then I edit /etc/hosts, nothing shows in /var/log/audit-/audit.log.

SOLUTION:
I simply upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL. Its working ;). that is if i now edit /etc/hosts, and then check in audit.log it will show the status... likewise
ausearch -i -p pid, will aslo show the appropriate results

I think this is a bug in 2.6.9-5.EL .. isint ?

Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-16-2006 02:04 AM

тАО07-16-2006 02:04 AM

Re: Plz help me to configure auditing

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases drom anybody.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-16-2006 02:04 AM

тАО07-16-2006 02:04 AM

Re: Plz help me to configure auditing

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases from anybody.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

тАО07-17-2006 06:51 AM

тАО07-17-2006 06:51 AM

Re: Plz help me to configure auditing

>It does indeed seem like a bug in the >kernel, if thats the only action you took >to fix it.
Yes thats the only thing i did(i.e upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL)

>Not surprising, I've learned never to >trust dot zero releases drom anybody.
If u can plz explain.... I just didnt get u ;(

Regards
Maaz
0 Kudos
Reply
Maaz
Valued Contributor

тАО07-17-2006 07:01 AM

тАО07-17-2006 07:01 AM

Re: Plz help me to configure auditing

>If file creation is your concern, you >maybe want to use Tripwire. Tripwire will >report any changes to files and >directories.

Dear Ivan Thanks for giving the precious advise.
I download the "tripwire-2.4.0.1-src.tar.bz2" untar/unzip then
#cd tripwire-2.4.0-1
#./configure ... ok
#make .... ok
#make install ... I got the error ... output file of "make install" is attached
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО07-17-2006 07:21 AM

тАО07-17-2006 07:21 AM

Re: Plz help me to configure auditing

Try this:

ftp.silfreed.net/repo/rhel/4/i386/silfreednet/RPMS/tripwire-2.3.1-22.el4.i386.rpm
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО07-17-2006 07:23 AM

тАО07-17-2006 07:23 AM

Re: Plz help me to configure auditing

Forgot to methion that tripwire will report added/changed/removed files, but it will not report who made the changes.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
CrackerJack1618
New Member

тАО05-16-2007 09:05 AM

тАО05-16-2007 09:05 AM

Re: Plz help me to configure auditing

To fix Tripwire v2.4 to compile right, do this between MAKE and MAKE INSTALL. There is a bug in the install scripts. make sure you are in your directory where you unpacked the installation files.

ln -s contrib install
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.