Login or Register to Ask a Question and Join Our Community


Red Hat

Secure & Audit logs

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Secure & Audit logs
# 8  
Old 01-18-2012
MySQL Solved
Please close this case. I realised that on RHEL and SLES systems, setting logrotate for audit isn't secure, chances are that it might not work. So this is what I did

1. Set the logrotate entry for audit.log anyways; my logs is set for 24 weeks before removed, and rotated weekly

Code:
cd /etc/logrotate.d
# vi audit
/var/log/audit/audit.log {
weekly
rotate 24
compress
sharedscripts
postrotate
/etc/init.d/auditd reload
endscript
}

2. Edit the conf file anyways, make a backup copy of existing conf file:

Code:
RHEL
# cp -p /etc/audit/auditd.conf /etc/audit/auditd.conf.YYYYMMDD

SLES
# cp -p /etc/auditd.conf /etc/auditd.conf.YYYYMMDD

# vi auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
3
flush = INCREMENTAL
freq = 20
num_logs = 24-----------------increase log number from 4 to 24
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5---------------------leave log file size to 5M
max_log_file_action------------------rotate old logs
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

3. Restart audit daemon

Code:
RHEL & SLES
# /etc/init.d/auditd restart
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Settings audit logs for different tasks. Help me!!!

Hi guys. I have to set audit logs on certain events on a solaris 10 server. While I had no problems on linux, I'm going crazy to do the same thing on solaris 10, since I don't have enough expertise on this OS . I should be able to identify these 4 different events: 1: Tracking all... (2 Replies)
Discussion started by: menofmayhem
2 Replies

2. UNIX for Beginners Questions & Answers

Grep a pattern & Email from latest logs

MyLOG: 2017/11/12 17:01:54.600 : Error: LPID: 3104680848 WRONG CRITERIA FOUND. tRealBuilder::Generate Output Required: If Ke word "WRONG CRITERIA FOUND" in latest log ( logs are regularly generating - real time) mail to us once mailed wait for 2 hours for second mail. mail subject... (3 Replies)
Discussion started by: vivekn
3 Replies

3. Solaris

How can i enable audit logs for global zone and standard zones?

HI Community, how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that Thanks & Regards, BEn (9 Replies)
Discussion started by: bentech4u
9 Replies

4. Red Hat

Comprehensive Disk & Server Logs.

Hello All, I'm using a RHEL6.4 on IBM X3850 X5 server. I want to get a comprehensive report containing disk-wise health status as well as overall server status. I see there's utility "ibm_utl_dsa_dsytd3h-9.51_portable_rhel6_x86-64.bin" which is also used to do diagnostics tasks. I'm not sure of... (1 Reply)
Discussion started by: vaibhavvsk
1 Replies

5. Solaris

Configuring 'auditd' service to not store the audit logs in /var partition

Hello all, I've configured 'audit' service to send the audit logs to a remote log server (by using syslog plugin), which is working fine. However, there is a problem. audit service also tries to write same information (but in binary format) in /var/audit path. So, Is there anyway to stop... (2 Replies)
Discussion started by: Anti_Evil
2 Replies

6. Solaris

How to view audit logs in Solaris?

Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Discussion started by: brownwrap
4 Replies

7. AIX

When AIX audit start, How to set the /audit/stream.out file size ?

Dear All When I start the AIX(6100-06)audit subsystem. the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB. It will replace the original /audit/stream.out (or /audit/trail). Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies

8. Solaris

how to find whether audit log is secure?

How do i find if audit logs is secured inside Solaris 10? · Verify that that audit log files are secured and owned appropriately. this is the question (1 Reply)
Discussion started by: werbotim
1 Replies

9. UNIX and Linux Applications

Secure FTP Client that Logs well

Folks I am on a quest.... I am looking for a lightweight FTP client capable of FTPS and or SFTP that has good audit and logging capabilities without requiring a central server component. My platforms are Linux, Solaris, AIX, and Windows Server. The kicker is I have found things that meet the... (3 Replies)
Discussion started by: ArtF
3 Replies

10. Cybersecurity

Security & audit

I am new to the world of Unix. As part of my understanding to have a big picture of Unix, I need to understand: 1. How to review the existing unix system or audit for the settings? 2. How do I go about fixing the holes? (4 Replies)
Discussion started by: amundra
4 Replies
Login or Register to Ask a Question