[ADDRESSED] Configure audit logging to a (central) server

Support for security such as Firewalls and securing linux
User avatar
warron.french
Posts: 536
Joined: 2014/03/27 20:21:58

[ADDRESSED] Configure audit logging to a (central) server

Post by warron.french » 2014/04/04 18:23:29

Has anyone got any idea whether or not logging from several client machines running auditd can send their audit_log results to a central server?

I would prefer to keep all auditing protected from prying eyes and not redirect to rsyslog if possible.

In other words the audit logs of clients-{001-006} sent to auditserver-001.
All logging stored on auditserver-001 in log file= audit_log.

logrotate can control the size or age of the audit_log file, and any entries in the audit_log file are not clear text for anyone on the server to see, not even root.

Thank you in advance,
Last edited by warron.french on 2015/03/04 15:45:32, edited 1 time in total.
Thanks,
War

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Configure audit logging to a remote (central) server

Post by unspawn » 2014/04/05 11:33:47

warron.french wrote:Has anyone got any idea whether or not logging from several client machines running auditd can send their audit_log results to a central server?
See the 'audisp-remote' plugin?

warron.french wrote:I would prefer to keep all auditing protected from prying eyes
Check netstat for the protocol it uses to relay data, then tshark / tcpdump the stream and check the payload?

Skatman88
Posts: 3
Joined: 2014/04/07 18:02:07

Re: Configure audit logging to a remote (central) server

Post by Skatman88 » 2014/04/07 18:32:39

Download an AESA tool like Arcsight. You can also set correlated events to check if someone does something like plug in a USB stick that they're not supposed to or logs in out of hours. Really powerful tools.

User avatar
warron.french
Posts: 536
Joined: 2014/03/27 20:21:58

Re: Configure audit logging to a remote (central) server

Post by warron.french » 2014/04/08 16:48:28

Thank you Skatman88 and unspawn. I will look into these options.
Thanks,
War

User avatar
warron.french
Posts: 536
Joined: 2014/03/27 20:21:58

Re: Configure audit logging to a remote (central) server

Post by warron.french » 2014/04/10 20:23:44

unspawn, I couldn't find any packages with that name. Is that correct? Can you provide an actual binary name I can do a "yum whatprovides" against?

I have had no luck with this at all this week.

Have a nice weekend all,
Warron
Thanks,
War

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Configure audit logging to a remote (central) server

Post by avij » 2014/04/10 21:04:28

yum whatprovides '*/audisp-remote*'

dkoleary
Posts: 51
Joined: 2013/01/07 19:18:14
Contact:

Re: Configure audit logging to a remote (central) server

Post by dkoleary » 2014/04/11 13:42:06

Hey;

This response will probably entail a bit more re-engineering than you're looking for; however, a fair number of clients that I've worked with have had centralized log servers that weren't under the control of the UNIX/Linux administrators. So, setting up your own centralized log server and having audit data piped through syslog to them is still a viable alternative; just make sure the UNIX people don't have root on that system.

Personally, I think that UNIX team should have access to the centralized log server as they provide a significant benefit over and above the security; but, that's a discussion for a different post.

Also, please note: if you're worried about the UNIX admins changing the logs either on the box or on the centralized log server, realize that they can simply change the audit system configuraiton even if you've installed and are using the audispd-plugins.

There are ways to mitigate that concern too. A host based intrusion detection system is always a good idea - more for catching unauthorized changes from bad guys than from the admins, but it'll work for that too. Tripwire's the one everyone knows about; but it costs... alot. OSSEC (www.ossec.net) is also very good one and it's open source.

(paragraph caveat: unsure if the AESA arcsight mentioned above is the same as the arcsight SIEM): I also second the use of Arcsight or some other SIEM; however, even those don't preclude the use of centralized logging. In fact, centralized logging can help their performance as the SIEM appliance is collecting logs from one or a limited number of places instead of receiving streams of UDP/TCP logs from 100s if not 1000s.

Lastly, you have to realize that whoever has root on the box, with sufficient cleverness can hide whatever they want. Root is god on a UNIX system. If you don't or can't trust the people who have root, then they shouldn't have root.

Hope that helps.

Doug O'Leary

Skatman88
Posts: 3
Joined: 2014/04/07 18:02:07

Re: Configure audit logging to a remote (central) server

Post by Skatman88 » 2014/04/15 14:23:38

dkoleary wrote:(paragraph caveat: unsure if the AESA arcsight mentioned above is the same as the arcsight SIEM): I also second the use of Arcsight or some other SIEM; however, even those don't preclude the use of centralized logging. In fact, centralized logging can help their performance as the SIEM appliance is collecting logs from one or a limited number of places instead of receiving streams of UDP/TCP logs from 100s if not 1000s.
You are correct, my apologies. Arcsight is an SIEM. AESA is the Analyst qualification that you receive for passing the course! Silly me! :roll:

You are correct with the other parts too. The less spread out your logs will be, the less work the Arcsight DB will have to do in order to find them, this in turn means less effort required from the server and more system resources will be available else where!

User avatar
warron.french
Posts: 536
Joined: 2014/03/27 20:21:58

Re: Configure audit logging to a remote (central) server

Post by warron.french » 2014/04/17 21:31:11

avij wrote:yum whatprovides '*/audisp-remote*'
Avij, thank you, that helped me find the appropriate package name at least, which is called: audisp-plugins (without versioning).

Thanks that is a better start.

\\War
Thanks,
War

User avatar
warron.french
Posts: 536
Joined: 2014/03/27 20:21:58

Re: Configure audit logging to a remote (central) server

Post by warron.french » 2014/04/17 21:35:24

Doug, thanks for your input as well.

I know about root access. The good news is that it looks like I will be the only root user on the box, so I will create a personal-named account and setup sudo for myself to log into the machine to conform with audit logging needs.

Since that's the case it keeps pesky/prying/wannabe-hackers from making unsanctioned changes.

Thanks again
\\War
Thanks,
War

Post Reply

Return to “CentOS 6 - Security Support”