Introduction
Government regulations require that regular audits are performed on their computer systems. Other government auditors regularly verify that these audits are performed. This is where the Linux auditing system comes in. It is used to meet these requirements and can provide a wealth of information about a running Linux system. Syscalls, user logins and ends, configuration changes in the audit system, SELinux denials, the addition or removal of users/groups, and more can be monitored.Imagine you are part of a government Information Assurance team. One of your job duties is to regularly look at the audit logs on some number of systems and somehow mark down that you reviewed them at time X. This is not very easy to do, for a few reasons.
ausearch -i -ts [time_of_last_review] -m [...messages types...] > file_for_review
is a popular way of generating files full of audit records for review. However, if you've had any contact with raw or even interpreted audit logs, you know it's no walk in the park.
What does this code do?
Easier audit viewing
The first problem is simply picking apart the audit logs in order to figure out if they are of interest or not. Compare the following:Raw audit logs:
type=USER_ACCT msg=audit(1237694401.311:6324): user pid=14432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="nocpulse" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'Interpreted audit logs:
type=CRED_ACQ msg=audit(1237694401.311:6325): user pid=14432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="nocpulse" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1237694401.311:6326): login pid=14432 uid=0 old auid=4294967295 new auid=105 old ses=4294967295 new ses=1271
type=USER_START msg=audit(1237694401.311:6327): user pid=14432 uid=0 auid=105 ses=1271 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="nocpulse" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
A new Spacewalk page for viewing audit logs:----
type=USER_ACCT msg=audit(03/22/2009 00:00:01.311:6324) : user pid=14432 uid=root auid=unset ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=nocpulse : exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)'
----
type=CRED_ACQ msg=audit(03/22/2009 00:00:01.311:6325) : user pid=14432 uid=root auid=unset ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=nocpulse : exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)'
----
type=LOGIN msg=audit(03/22/2009 00:00:01.311:6326) : login pid=14432 uid=root old auid=unset new auid=nocpulse old ses=4294967295 new ses=1271
----
type=USER_START msg=audit(03/22/2009 00:00:01.311:6327) : user pid=14432 uid=root auid=nocpulse ses=1271 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=nocpulse : exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)'
Reviewing audits
The second problem is showing to a government auditor that these logs were reviewed within a timely manner by a person certified to do so. This patch to spacewalk provides the second capability, as shown below:
Easy-to-use search
(This post is a copy of what was at http://www.stl.gtri.gatech.edu/jroys/ more or less.)
No comments:
Post a Comment