Reviewing auditd logs with Spacewalk
One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.
Getting auditd logs into Spacewalk involves just a few steps:
Server side
mkdir /var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
chown -R tomcat /var/satellite/systemlogs
spacewalk-service restart
Client side
apt-get install libaudit-dev auditd libauparse-dev
wget https://raw.githubusercontent.com/spacewalkproject/spacewalk/master/contrib/aup.c
gcc -O2 -s -o ./aup aup.c -lauparse
After installing auditd, you need to define rules which define what changes and actions on your system are being logged. There exist general rulesets developed by different institutions.
- CAPS – “Controlled Access Protection Profile”, provided by the NSA, you read more here https://www.niap-ccevs.org/pp/pp_os_ca_v1.d.pdf
- LSPP – “Labeled Security Protection Profile”, provided by the NSA, read more here http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf
- NISPOM – “National Industrial Security Program Operating Manual”, provided National Security Council of the USA, read more here http://www.dss.mil/documents/odaa/nispom2006-5220.pdf
- STIG – “Security Technical Implementation Guide”, provided by the Departement of Defense, USA.
These four rulesets come as examples with auditd. You can copy one from /usr/share/doc/auditd/examples/ to /etc/audit/audit.rules
Most often you want a combination of subsets of these rules depending on your requirements.
Create this script and run it as cron if you like. What it does is taking yesterdays logs, parsing them into a format which Spacewalk understands.
export END=`date +"%m/%d/%Y %T" -d "$(date -d now +"%m/%d/%Y") - 1 seconds"`
export T1=`date -d "$START" +%s`
export T2=`date -d "$END" +%s`
ausearch -r -ts $START -te $END|./aup > /var/log/audit/audit-$T1-$T2.parsed'
# produces sth like audit-1444168800-1444255199.parsed
# scp/rsync the .parsed file to spacewalk-server:/var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
Now you should see the auditd logs in Spacewalk under “Audit->Log Review”. Simply select the node you are interested in, define the search filters and review your logs.
For further reading, here are two links explaining the different record types and event fields of auditd logs:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html
Should each client have it’s own directory here?
And it’s just a hostname, not a FQDN?
mkdir /var/satellite/systemlogs/CLIENT_HOSTNAME/audit/
yes, every client has its own directory. I’m not sure if it was the FQDN or hostname. But should be the same as the system is displayed in Spacewalk
Another issue:
gcc -O2 -s -o ./aup aup.c -lauparse
aup.c:1:21: fatal error: auparse.h: No such file or directory
#include
^
compilation terminated.
are you sure you installed apt-get install libaudit-dev auditd ? should be coming with libaudit-dev
I needed to install ‘libauparse-dev’ as well
ok. maybe it changed thru Ubuntu versions. I’ll update the post 🙂