Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been working on getting my RHEL5 system to perform successful auditing. The workstations work fine, but the servers do not. I get errors when I restart the auditd daemon. It restarts, however it states that there's error in line 102...specifically the "arch=ARCH machine type not found". I'm not familiar with this error nor can I find anything out there. Even when I comment all of these out I still get "There's an error in /etc/audit/audit.rules". I've only been working with auditing for a short time. Any help would be great!
Code:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
#
#last updated 09SEP10
#
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 16384
# Feel free to add below this line. See auditctl man page
# Failure of auditd causes a kernel panic and halts system if sets to 2
-f 1
# Enable auditing
-e 1
# Audit1: audit accesses to security relevant files
# watch passwd databases
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/group -p wa
# pam configuration
-w /etc/pam.d
# auditd configuration
-w /etc/auditd.conf
-w /etc/audit.rules
-w /etc/audit/auditd.conf
-w /etc/audit/audit.rules
# watch system log files
-w /var/log/messages
-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log
# watch audit subsystem's configuration files
-w /etc/auditd.conf -p wa
-w /etc/audit.rules -p wa
# SELinux configuration
-w /etc/selinux/config -p wa
# login records
-w /var/log/lastlog
-w /var/log/faillog
# login configuration
-w /etc/login.defs
# init configuration
-w /etc/rc.d/init.d
-w /etc/inittab -p wa
# sshd configuration settings
-w /etc/ssh/sshd_config
# audit creating new directories
-a exit,always -S mkdir -F auid!=0
# audit chmod,chown for non-root users
-a exit,always -S chmod -S fchmod -F auid!=0
-a exit,always -S chown -S fchown -S lchown -F auid!=0
# changes to security labels
-a exit,always -S setxattr -S lsetxattr -S fsetxattr
-a exit,always -S removexattr -S lremovexattr -S fremovexattr
#inserted 09052010
# privileged commands
-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-a entry,always -S chmod
-a entry,always -S fchmod
-a entry,always -S chown
#-a entry,always -S chown32
-a entry,always -S fchown
#-a entry,always -S fchown32
-a entry,always -S lchown
-a entry,always -S umask
# system administration actions
# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
-w /etc/audit/auditd.conf -p wa
-w /etc/audit/audit.rules -p wa
-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
# security personnel actions
-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-w /bin/su
#record events that modify the system's date or time
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=ARCH -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
#record events that modify accounts on the system
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
#record events that modify network settings
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
#record events that modify MAC policy
-w /etc/selinux/ -p wa -k MAC-policy
#record logon and logout events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
#record process and session information
#THIS MAY INCREASE LOG SIZE
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#record file permission changes for all users and root
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#record unauthorized file accesses
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
#record execution of privileged commands
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
#record media exportation events
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
#record file deletion events
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
#record system administrator actions
-w /etc/sudoers -p wa -k actions
#Critical system files and directories
-w /var/log/audit/
-w /etc/ntp.conf
-w /etc
-w /var/spool/at
-w /etc/at.allow
-w /etc/at.deny
-w /etc/cron.deny
-w /etc/cron.d/
-w /etc/cron.daily/
-w /etc/cron.hourly/
-w /etc/cron.monthly/
-w /etc/cron.weekly/
-w /etc/crontab
-w /etc/anacrontab
-w /etc/group
-w /etc/passwd
-w /etc/gshadow
-w /etc/shadow
-w /etc/security/opasswd
-w /etc/sudoers
-w /etc/securetty
-w /etc/shells
-w /etc/profile
-w /etc/bashrc
-w /etc/csh.cshrc
-w /etc/csh.login
-w /etc/hosts
-w /etc/sysconfig/
-w /etc/inittab
-w /etc/rc.d/init.d/auditd
-w /etc/rc.local
-w /etc/rc.sysinit
-w /etc/xinetd.d/
-w /etc/ld.so.conf
-w /etc/ld.so.conf.d/
-w /etc/localtime
-w /etc/sysctl.conf
-w /etc/modprobe.conf
-w /etc/pam_smb.conf
-w /etc/aliases
-w /etc/mail/access
-w /etc/mail/access.db
-w /etc/mail/domaintable
-w /etc/mail/domaintable.db
-w /etc/mail/helpfile
-w /etc/mail/local-host-names
-w /etc/mail/mailertable
-w /etc/mail/mailertable.db
-w /etc/mail/Makefile
-w /etc/mail/sendmail.cf
-w /etc/mail/sendmail.mc
-w /etc/mail/submit.cf
-w /etc/mail/submit.mc
-w /etc/mail/trusted-users
-w /etc/mail/virtusertable
-w /etc/mail/virtusertable.db
-w /etc/httpd/conf/
-w /etc/httpd/conf.d/
-w /etc/issue
-w /etc/issue.net
-w /etc/samba/smb.conf
-w /etc/syslog.conf
-w /etc/resolv.conf
-w /etc/nsswitch.conf
-w /etc/host.conf
-w /etc/yp.conf
-w /var/yp/binding
-w /etc/ldap.conf
-w /etc/krb5.conf
-w /etc/initlog.conf
-w /etc/default/
-w /etc/firmware/microcode.dat
-w /etc/fstab
-w /etc/auto.master
-w /etc/auto.misc
-w /etc/hosts.allow
-w /etc/hosts.deny
-w /etc/exports
The only current issue that seems to be happening is the watching of the audit.rules and auditd.conf in multiple places. There are three areas where they were watching and that was the reason why there was an error.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.