LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   rhel5 server auditing (https://www.linuxquestions.org/questions/linux-security-4/rhel5-server-auditing-832293/)

abti 09-15-2010 07:11 AM
rhel5 server auditing
 
I've been working on getting my RHEL5 system to perform successful auditing. The workstations work fine, but the servers do not. I get errors when I restart the auditd daemon. It restarts, however it states that there's error in line 102...specifically the "arch=ARCH machine type not found". I'm not familiar with this error nor can I find anything out there. Even when I comment all of these out I still get "There's an error in /etc/audit/audit.rules". I've only been working with auditing for a short time. Any help would be great!

Code:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
#
#last updated 09SEP10
#

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 16384

# Feel free to add below this line. See auditctl man page
# Failure of auditd causes a kernel panic and halts system if sets to 2
-f 1

# Enable auditing
-e 1


# Audit1: audit accesses to security relevant files


# watch passwd databases
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/group  -p wa

# pam configuration
-w /etc/pam.d

# auditd configuration
-w /etc/auditd.conf
-w /etc/audit.rules
-w /etc/audit/auditd.conf
-w /etc/audit/audit.rules

# watch system log files
-w /var/log/messages
-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log

# watch audit subsystem's configuration files
-w /etc/auditd.conf -p wa
-w /etc/audit.rules -p wa

# SELinux configuration
-w /etc/selinux/config -p wa

# login records
-w /var/log/lastlog
-w /var/log/faillog

# login configuration
-w /etc/login.defs

# init configuration
-w /etc/rc.d/init.d
-w /etc/inittab -p wa

# sshd configuration settings
-w /etc/ssh/sshd_config

# audit creating new directories
-a exit,always -S mkdir -F auid!=0

# audit chmod,chown for non-root users
-a exit,always -S chmod -S fchmod -F auid!=0
-a exit,always -S chown -S fchown -S lchown -F auid!=0

# changes to security labels
-a exit,always -S setxattr -S lsetxattr -S fsetxattr
-a exit,always -S removexattr -S lremovexattr -S fremovexattr

#inserted 09052010
# privileged commands
-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill

-a entry,always -S chmod
-a entry,always -S fchmod
-a entry,always -S chown
#-a entry,always -S chown32
-a entry,always -S fchown
#-a entry,always -S fchown32
-a entry,always -S lchown
-a entry,always -S umask

# system administration actions
# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
-w /etc/audit/auditd.conf -p wa
-w /etc/audit/audit.rules -p wa
-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon

# security personnel actions
-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-w /bin/su

#record events that modify the system's date or time
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=ARCH -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

#record events that modify accounts on the system
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

#record events that modify network settings
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

#record events that modify MAC policy
-w /etc/selinux/ -p wa -k MAC-policy

#record logon and logout events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins


#record process and session information
#THIS MAY INCREASE LOG SIZE
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

#record file permission changes for all users and root
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#record unauthorized file accesses
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

#record execution of privileged commands
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

#record media exportation events
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

#record file deletion events
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

#record system administrator actions
-w /etc/sudoers -p wa -k actions

#Critical system files and directories

-w /var/log/audit/
-w /etc/ntp.conf
-w /etc
-w /var/spool/at
-w /etc/at.allow
-w /etc/at.deny
-w /etc/cron.deny
-w /etc/cron.d/
-w /etc/cron.daily/
-w /etc/cron.hourly/
-w /etc/cron.monthly/
-w /etc/cron.weekly/
-w /etc/crontab
-w /etc/anacrontab
-w /etc/group
-w /etc/passwd
-w /etc/gshadow
-w /etc/shadow
-w /etc/security/opasswd
-w /etc/sudoers
-w /etc/securetty
-w /etc/shells
-w /etc/profile
-w /etc/bashrc
-w /etc/csh.cshrc
-w /etc/csh.login
-w /etc/hosts
-w /etc/sysconfig/
-w /etc/inittab
-w /etc/rc.d/init.d/auditd
-w /etc/rc.local
-w /etc/rc.sysinit
-w /etc/xinetd.d/
-w /etc/ld.so.conf
-w /etc/ld.so.conf.d/
-w /etc/localtime
-w /etc/sysctl.conf
-w /etc/modprobe.conf
-w /etc/pam_smb.conf
-w /etc/aliases
-w /etc/mail/access
-w /etc/mail/access.db
-w /etc/mail/domaintable
-w /etc/mail/domaintable.db
-w /etc/mail/helpfile
-w /etc/mail/local-host-names
-w /etc/mail/mailertable
-w /etc/mail/mailertable.db
-w /etc/mail/Makefile
-w /etc/mail/sendmail.cf
-w /etc/mail/sendmail.mc
-w /etc/mail/submit.cf
-w /etc/mail/submit.mc
-w /etc/mail/trusted-users
-w /etc/mail/virtusertable
-w /etc/mail/virtusertable.db
-w /etc/httpd/conf/
-w /etc/httpd/conf.d/
-w /etc/issue
-w /etc/issue.net
-w /etc/samba/smb.conf
-w /etc/syslog.conf
-w /etc/resolv.conf
-w /etc/nsswitch.conf
-w /etc/host.conf
-w /etc/yp.conf
-w /var/yp/binding
-w /etc/ldap.conf
-w /etc/krb5.conf
-w /etc/initlog.conf
-w /etc/default/
-w /etc/firmware/microcode.dat
-w /etc/fstab
-w /etc/auto.master
-w /etc/auto.misc
-w /etc/hosts.allow
-w /etc/hosts.deny
-w /etc/exports

sem007 09-15-2010 09:12 AM
Quote:
"arch=ARCH machine type not found"
arch is the CPU architecture of the syscall.you can find cpu arch. by

Code:
uname -m
replace arch=ARCH by uname command output.

Quote:
Even when I comment all of these out I still get "There's an error in /etc/audit/audit.rules".
What error you face if you comment those lines.

Regards,

abti 09-17-2010 05:52 AM
Thanks! The uname -m worked. The other error I get is error in line 92 of /etc/audit/audit.rules

Code:
-w /etc/audit/audit.rules -p wa

sem007 09-17-2010 06:04 AM
Quote:
Originally Posted by abti (Post 4100436)
Thanks! The uname -m worked. The other error I get is error in line 92 of /etc/audit/audit.rules

Code:
-w /etc/audit/audit.rules -p wa
What error it gives?

it watch audit.rules file for change (w=write a=attribute)

Regards,

abti 09-17-2010 06:26 AM
It doesn't give any error other than error in line 92. I don't understand why. My audit.rules and auditd.conf files both reside under /etc/audit

sem007 09-17-2010 07:12 AM
Quote:
Originally Posted by abti (Post 4100470)
It doesn't give any error other than error in line 92. I don't understand why. My audit.rules and auditd.conf files both reside under /etc/audit
I copy and paste your /etc/audit/audit.rules file in my test centOS 5.0 machine for testing purpose and its working fine.

did you replace all ARCH to your uname -m o/p.

just commnet that line and try to start your auditd daemon.

let us know what happen?

Regards,

abti 09-20-2010 07:30 AM
The only current issue that seems to be happening is the watching of the audit.rules and auditd.conf in multiple places. There are three areas where they were watching and that was the reason why there was an error.

Thanks for all your help! :D


All times are GMT -5. The time now is 03:43 PM.