Reviewing auditd logs with Spacewalk
One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.
Getting auditd logs into Spacewalk involves just a few steps:
chown -R tomcat /var/satellite/systemlogs
apt-get install libaudit-dev auditd
gcc -O2 -s -o ./aup aup.c -lauparse
After installing auditd, you need to define rules which define what changes and actions on your system are being logged. There exist general rulesets developed by different institutions.
- CAPS – “Controlled Access Protection Profile”, provided by the NSA, you read more here https://www.niap-ccevs.org/pp/pp_os_ca_v1.d.pdf
- LSPP – “Labeled Security Protection Profile”, provided by the NSA, read more here http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf
- NISPOM – “National Industrial Security Program Operating Manual”, provided National Security Council of the USA, read more here http://www.dss.mil/documents/odaa/nispom2006-5220.pdf
- STIG – “Security Technical Implementation Guide”, provided by the Departement of Defense, USA.
These four rulesets come as examples with auditd. You can copy one from /usr/share/doc/auditd/examples/ to /etc/audit/audit.rules
Most often you want a combination of subsets of these rules depending on your requirements.
Create this script and run it as cron if you like. What it does is taking yesterdays logs, parsing them into a format which Spacewalk understands.
export END=`date +"%m/%d/%Y %T" -d "$(date -d now +"%m/%d/%Y") - 1 seconds"`
export T1=`date -d "$START" +%s`
export T2=`date -d "$END" +%s`
ausearch -r -ts $START -te $END|./aup > /var/log/audit/audit-$T1-$T2.parsed'
# produces sth like audit-1444168800-1444255199.parsed
# scp/rsync the .parsed file to spacewalk-server:/var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
Now you should see the auditd logs in Spacewalk under “Audit->Log Review”. Simply select the node you are interested in, define the search filters and review your logs.
For further reading, here are two links explaining the different record types and event fields of auditd logs: