Reviewing auditd logs with Spacewalk

One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.

Getting auditd logs into Spacewalk involves just a few steps:

Server side

echo 'web.audit.logdir = /var/satellite/systemlogs' >> /etc/rhn/rhn.conf
mkdir /var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
chown -R tomcat /var/satellite/systemlogs
spacewalk-service restart

Client side

# this is only required once and the resulting "aup" binary can be copied to other clients.
apt-get install libaudit-dev auditd libauparse-dev
wget https://raw.githubusercontent.com/spacewalkproject/spacewalk/master/contrib/aup.c
gcc -O2 -s -o ./aup aup.c -lauparse

After installing auditd, you need to define rules which define what changes and actions on your system are being logged. There exist general rulesets developed by different institutions.

These four rulesets come as examples with auditd. You can copy one from /usr/share/doc/auditd/examples/ to /etc/audit/audit.rules
Most often you want a combination of subsets of these rules depending on your requirements.

Create this script and run it as cron if you like. What it does is taking yesterdays logs, parsing them into a format which Spacewalk understands.

export START=`date +"%m/%d/%Y %T" -d "$(date -d yesterday +"%m/%d/%Y")"`
export END=`date +"%m/%d/%Y %T" -d "$(date -d now +"%m/%d/%Y") - 1 seconds"`
export T1=`date -d "$START" +%s`
export T2=`date -d "$END" +%s`
ausearch -r -ts $START -te $END|./aup > /var/log/audit/audit-$T1-$T2.parsed'
# produces sth like audit-1444168800-1444255199.parsed
# scp/rsync the .parsed file to spacewalk-server:/var/satellite/systemlogs/CLIENT_HOSTNAME/audit/

Now you should see the auditd logs in Spacewalk under “Audit->Log Review”. Simply select the node you are interested in, define the search filters and review your logs.

For further reading, here are two links explaining the different record types and event fields of auditd logs:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html

    • MgKing
    • May 15th, 2017 10:28am

    Should each client have it’s own directory here?
    And it’s just a hostname, not a FQDN?

    mkdir /var/satellite/systemlogs/CLIENT_HOSTNAME/audit/

      • phil
      • May 15th, 2017 11:32am

      yes, every client has its own directory. I’m not sure if it was the FQDN or hostname. But should be the same as the system is displayed in Spacewalk

    • MgKing
    • May 15th, 2017 10:35am

    Another issue:

    gcc -O2 -s -o ./aup aup.c -lauparse
    aup.c:1:21: fatal error: auparse.h: No such file or directory
    #include
    ^
    compilation terminated.

      • phil
      • May 15th, 2017 11:35am

      are you sure you installed apt-get install libaudit-dev auditd ? should be coming with libaudit-dev

        • MgKing
        • May 16th, 2017 7:20am

        I needed to install ‘libauparse-dev’ as well

          • phil
          • May 16th, 2017 11:33am

          ok. maybe it changed thru Ubuntu versions. I’ll update the post 🙂

  1. No trackbacks yet.