Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Secure & Audit logs
Operating Systems Linux Red Hat Secure & Audit logs Post 302591223 by hedkandi on Wednesday 18th of January 2012 10:02:53 PM
Old 01-18-2012
MySQL Solved
Please close this case. I realised that on RHEL and SLES systems, setting logrotate for audit isn't secure, chances are that it might not work. So this is what I did

1. Set the logrotate entry for audit.log anyways; my logs is set for 24 weeks before removed, and rotated weekly

Code:
cd /etc/logrotate.d
# vi audit
/var/log/audit/audit.log {
weekly
rotate 24
compress
sharedscripts
postrotate
/etc/init.d/auditd reload
endscript
}

2. Edit the conf file anyways, make a backup copy of existing conf file:

Code:
RHEL
# cp -p /etc/audit/auditd.conf /etc/audit/auditd.conf.YYYYMMDD

SLES
# cp -p /etc/auditd.conf /etc/auditd.conf.YYYYMMDD

# vi auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
3
flush = INCREMENTAL
freq = 20
num_logs = 24-----------------increase log number from 4 to 24
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5---------------------leave log file size to 5M
max_log_file_action------------------rotate old logs
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

3. Restart audit daemon

Code:
RHEL & SLES
# /etc/init.d/auditd restart

 

10 More Discussions You Might Find Interesting

1. Cybersecurity

Security & audit

I am new to the world of Unix. As part of my understanding to have a big picture of Unix, I need to understand: 1. How to review the existing unix system or audit for the settings? 2. How do I go about fixing the holes? (4 Replies)
Discussion started by: amundra
4 Replies

2. UNIX and Linux Applications

Secure FTP Client that Logs well

Folks I am on a quest.... I am looking for a lightweight FTP client capable of FTPS and or SFTP that has good audit and logging capabilities without requiring a central server component. My platforms are Linux, Solaris, AIX, and Windows Server. The kicker is I have found things that meet the... (3 Replies)
Discussion started by: ArtF
3 Replies

3. Solaris

how to find whether audit log is secure?

How do i find if audit logs is secured inside Solaris 10? · Verify that that audit log files are secured and owned appropriately. this is the question (1 Reply)
Discussion started by: werbotim
1 Replies

4. AIX

When AIX audit start, How to set the /audit/stream.out file size ?

Dear All When I start the AIX(6100-06)audit subsystem. the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB. It will replace the original /audit/stream.out (or /audit/trail). Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies

5. Solaris

How to view audit logs in Solaris?

Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Discussion started by: brownwrap
4 Replies

6. Solaris

Configuring 'auditd' service to not store the audit logs in /var partition

Hello all, I've configured 'audit' service to send the audit logs to a remote log server (by using syslog plugin), which is working fine. However, there is a problem. audit service also tries to write same information (but in binary format) in /var/audit path. So, Is there anyway to stop... (2 Replies)
Discussion started by: Anti_Evil
2 Replies

7. Red Hat

Comprehensive Disk & Server Logs.

Hello All, I'm using a RHEL6.4 on IBM X3850 X5 server. I want to get a comprehensive report containing disk-wise health status as well as overall server status. I see there's utility "ibm_utl_dsa_dsytd3h-9.51_portable_rhel6_x86-64.bin" which is also used to do diagnostics tasks. I'm not sure of... (1 Reply)
Discussion started by: vaibhavvsk
1 Replies

8. Solaris

How can i enable audit logs for global zone and standard zones?

HI Community, how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that Thanks & Regards, BEn (9 Replies)
Discussion started by: bentech4u
9 Replies

9. UNIX for Beginners Questions & Answers

Grep a pattern & Email from latest logs

MyLOG: 2017/11/12 17:01:54.600 : Error: LPID: 3104680848 WRONG CRITERIA FOUND. tRealBuilder::Generate Output Required: If Ke word "WRONG CRITERIA FOUND" in latest log ( logs are regularly generating - real time) mail to us once mailed wait for 2 hours for second mail. mail subject... (3 Replies)
Discussion started by: vivekn
3 Replies

10. Solaris

Settings audit logs for different tasks. Help me!!!

Hi guys. I have to set audit logs on certain events on a solaris 10 server. While I had no problems on linux, I'm going crazy to do the same thing on solaris 10, since I don't have enough expertise on this OS . I should be able to identify these 4 different events: 1: Tracking all... (2 Replies)
Discussion started by: menofmayhem
2 Replies

LEARN ABOUT PLAN9

audit_data

audit_data(4)							   File Formats 						     audit_data(4)

NAME

       audit_data - current information on audit daemon

SYNOPSIS

       /etc/security/audit_data

DESCRIPTION

       The  audit_data file contains information about the audit daemon. The file contains the process ID of the audit daemon, and the pathname of
       the current audit log file. The format of the file is:

	      pid>:<pathname>

       Where pid is the process ID for the audit daemon, and pathname is the full pathname for the current audit log file.

EXAMPLES

       Example 1: A sample audit_data file.

       64:/etc/security/audit/server1/19930506081249.19930506230945.bongos

FILES

       /etc/security/audit_data

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Obsolete			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       audit(1M), auditd(1M), bsmconv(1M), audit(2), audit_control(4), audit.log(4)

NOTES

       The functionality described on this manual page is internal to audit(1M) and might not be supported in a future release.

       The auditd utility is the only supported mechanism to communicate with auditd(1M). The current audit log can be determined by examining the
       configured audit directories. See audit_control(4).

       The  functionality described on this manual page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for
       more information.

SunOS 5.10							    14 Nov 2002 						     audit_data(4)
All times are GMT -4. The time now is 03:05 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy