[ADDRESSED] Configure audit logging to a (central) server

[warron.french]

Has anyone got any idea whether or not logging from several client machines running auditd can send their audit_log results to a central server?

I would prefer to keep all auditing protected from prying eyes and not redirect to rsyslog if possible.

In other words the audit logs of clients-{001-006} sent to auditserver-001.
All logging stored on auditserver-001 in log file= audit_log.

logrotate can control the size or age of the audit_log file, and any entries in the audit_log file are not clear text for anyone on the server to see, not even root.

Thank you in advance,

[unspawn]

Has anyone got any idea whether or not logging from several client machines running auditd can send their audit_log results to a central server?

See the 'audisp-remote' plugin?

I would prefer to keep all auditing protected from prying eyes

Check netstat for the protocol it uses to relay data, then tshark / tcpdump the stream and check the payload?

[Skatman88]

Download an AESA tool like Arcsight. You can also set correlated events to check if someone does something like plug in a USB stick that they're not supposed to or logs in out of hours. Really powerful tools.

[warron.french]

Thank you Skatman88 and unspawn. I will look into these options.

[warron.french]

unspawn, I couldn't find any packages with that name. Is that correct? Can you provide an actual binary name I can do a "yum whatprovides" against?

I have had no luck with this at all this week.

Have a nice weekend all,
Warron

[avij]

yum whatprovides '*/audisp-remote*'

[dkoleary]

Hey;

This response will probably entail a bit more re-engineering than you're looking for; however, a fair number of clients that I've worked with have had centralized log servers that weren't under the control of the UNIX/Linux administrators. So, setting up your own centralized log server and having audit data piped through syslog to them is still a viable alternative; just make sure the UNIX people don't have root on that system.

Personally, I think that UNIX team should have access to the centralized log server as they provide a significant benefit over and above the security; but, that's a discussion for a different post.

Also, please note: if you're worried about the UNIX admins changing the logs either on the box or on the centralized log server, realize that they can simply change the audit system configuraiton even if you've installed and are using the audispd-plugins.

There are ways to mitigate that concern too. A host based intrusion detection system is always a good idea - more for catching unauthorized changes from bad guys than from the admins, but it'll work for that too. Tripwire's the one everyone knows about; but it costs... alot. OSSEC (www.ossec.net) is also very good one and it's open source.

(paragraph caveat: unsure if the AESA arcsight mentioned above is the same as the arcsight SIEM): I also second the use of Arcsight or some other SIEM; however, even those don't preclude the use of centralized logging. In fact, centralized logging can help their performance as the SIEM appliance is collecting logs from one or a limited number of places instead of receiving streams of UDP/TCP logs from 100s if not 1000s.

Lastly, you have to realize that whoever has root on the box, with sufficient cleverness can hide whatever they want. Root is god on a UNIX system. If you don't or can't trust the people who have root, then they shouldn't have root.

Hope that helps.

Doug O'Leary

[Skatman88]

(paragraph caveat: unsure if the AESA arcsight mentioned above is the same as the arcsight SIEM): I also second the use of Arcsight or some other SIEM; however, even those don't preclude the use of centralized logging. In fact, centralized logging can help their performance as the SIEM appliance is collecting logs from one or a limited number of places instead of receiving streams of UDP/TCP logs from 100s if not 1000s.

You are correct, my apologies. Arcsight is an SIEM. AESA is the Analyst qualification that you receive for passing the course! Silly me!

You are correct with the other parts too. The less spread out your logs will be, the less work the Arcsight DB will have to do in order to find them, this in turn means less effort required from the server and more system resources will be available else where!

[warron.french]

yum whatprovides '*/audisp-remote*'

Avij, thank you, that helped me find the appropriate package name at least, which is called: audisp-plugins (without versioning).

Thanks that is a better start.

\\War

[warron.french]

Doug, thanks for your input as well.

I know about root access. The good news is that it looks like I will be the only root user on the box, so I will create a personal-named account and setup sudo for myself to log into the machine to conform with audit logging needs.

Since that's the case it keeps pesky/prying/wannabe-hackers from making unsanctioned changes.

Thanks again
\\War