Reviewing auditd logs with Spacewalk

One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.

Getting auditd logs into Spacewalk involves just a few steps:

Server side

echo 'web.audit.logdir = /var/satellite/systemlogs' >> /etc/rhn/rhn.conf
mkdir /var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
chown -R tomcat /var/satellite/systemlogs
spacewalk-service restart

Client side

# this is only required once and the resultiy "aup" binary can be copied to other clients.
apt-get install libaudit-dev auditd
wget https://raw.githubusercontent.com/spacewalkproject/spacewalk/master/contrib/aup.c
gcc -O2 -s -o ./aup aup.c -lauparse

After installing auditd, you need to define rules which define what changes and actions on your system are being logged. There exist general rulesets developed by different institutions.

These four rulesets come as examples with auditd. You can copy one from /usr/share/doc/auditd/examples/ to /etc/audit/audit.rules
Most often you want a combination of subsets of these rules depending on your requirements.

Create this script and run it as cron if you like. What it does is taking yesterdays logs, parsing them into a format which Spacewalk understands.

export START=`date +"%m/%d/%Y %T" -d "$(date -d yesterday +"%m/%d/%Y")"`
export END=`date +"%m/%d/%Y %T" -d "$(date -d now +"%m/%d/%Y") - 1 seconds"`
export T1=`date -d "$START" +%s`
export T2=`date -d "$END" +%s`
ausearch -r -ts $START -te $END|./aup > /var/log/audit/audit-$T1-$T2.parsed'
# produces sth like audit-1444168800-1444255199.parsed
# scp/rsync the .parsed file to spacewalk-server:/var/satellite/systemlogs/CLIENT_HOSTNAME/audit/

Now you should see the auditd logs in Spacewalk under “Audit->Log Review”. Simply select the node you are interested in, define the search filters and review your logs.

For further reading, here are two links explaining the different record types and event fields of auditd logs:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html

  1. No comments yet.

  1. No trackbacks yet.