Operating System - Linux
1747987 Members
4583 Online
108756 Solutions
New Discussion юеВ

Re: Plz help me to configure auditing

 
SOLVED
Go to solution
Maaz
Valued Contributor

Plz help me to configure auditing

os: rhel 4

I wana audit .. if any new directory created under /etc. for that I configure auditing, and then create a new directory under /etc, but i didnt find that a new directory has been created under /etc.

I want to audit if a new directory is created under /etc.
I create a filter in /etc/filter.conf,(http://maconlinux.net/linux-man-pages/en/audit-filter.conf.5.html) .

#cat /etc/filter
predicate is-etc = prefix(/etc);
syscall mkdir = is-etc(arg0);

#service auditd start
#mkdir /etc/test
#ureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log: 07/09/2006 23:54:16.141 - 07/10/2006 00:46:58.453

#aureport -s

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================


#aureport -r

Response to Anomaly Report
==============================
# date time type success event
==============================


I also check /var/log/audit/audit.log but it also doesnt show any evidence that someone has created a directory undr /etc

Plz help

Regards
Maaz
12 REPLIES 12
Ivan Ferreira
Honored Contributor

Re: Plz help me to configure auditing

If file creation is your concern, you maybe want to use Tripwire. Tripwire will report any changes to files and directories.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor
Solution

Re: Plz help me to configure auditing

Searching a little more about Red Hat's auditd, I have found that when you start the audit daemon, the /etc/audit.rules file is read to specify what to audit, and does not look like the filter you specified. Try this, edit the /etc/audit.rules file and add:

-w /etc -p wa -k CFG_etc
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Maaz
Valued Contributor

Re: Plz help me to configure auditing

First of All Millions of Thanks Dear Mr Ivan Ferreira for help.

I add th "-w /etc -p wa -k CFG_etc" in /etc/audit.rules
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)There was an error in line 14 of /etc/audit.rules

-w /etc -p wa -k CFG_etc ... what will this line do ? and where should I check ?

And plz also know me abt any good tutorial to configure the audit deamon.

Regards
Maaz
Ivan Ferreira
Honored Contributor

Re: Plz help me to configure auditing

Bad notice, I have not found any document that could help you in this, I just checkec the documentation that comes with the package located in /usr/shared/doc/audit-, there you will see some samples.

Also you should check the man of auditctl and suscribe to the mailling list.

In the man of auditctl you can read that a whole directory as argument maybe is not supported, so, why don't you try with a file first? for example:

-w /etc/hosts -p wa -k CFG_hosts

Then modify the files and run the aureport.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Maaz
Valued Contributor

Re: Plz help me to configure auditing

Many Thanks Dear Mr Ivan Ferriera.
I add the following into /etc/audit.rules
-w /etc/hosts -p wa -k CFG_hosts
then
#service auditd start
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
then I edit /etc/hosts, nothing shows in /var/log/audit-/audit.log.

SOLUTION:
I simply upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL. Its working ;). that is if i now edit /etc/hosts, and then check in audit.log it will show the status... likewise
ausearch -i -p pid, will aslo show the appropriate results

I think this is a bug in 2.6.9-5.EL .. isint ?

Regards
Maaz
Steven E. Protter
Exalted Contributor

Re: Plz help me to configure auditing

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases drom anybody.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Plz help me to configure auditing

Shalom Maaz,

It does indeed seem like a bug in the kernel, if thats the only action you took to fix it.

Not surprising, I've learned never to trust dot zero releases from anybody.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Maaz
Valued Contributor

Re: Plz help me to configure auditing

>It does indeed seem like a bug in the >kernel, if thats the only action you took >to fix it.
Yes thats the only thing i did(i.e upgrade the kernel from 2.6.9-5.EL to 2.6.9-22.EL)

>Not surprising, I've learned never to >trust dot zero releases drom anybody.
If u can plz explain.... I just didnt get u ;(

Regards
Maaz
Maaz
Valued Contributor

Re: Plz help me to configure auditing

>If file creation is your concern, you >maybe want to use Tripwire. Tripwire will >report any changes to files and >directories.

Dear Ivan Thanks for giving the precious advise.
I download the "tripwire-2.4.0.1-src.tar.bz2" untar/unzip then
#cd tripwire-2.4.0-1
#./configure ... ok
#make .... ok
#make install ... I got the error ... output file of "make install" is attached