Bug 446080 - Audit updates for 5.3
Audit updates for 5.3
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
5.3
All Linux
low Severity low
: rc
: ---
Assigned To: Steve Grubb
Brian Brock
:
: 443792 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-12 12:56 EDT by Steve Grubb
Modified: 2016-06-17 17:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel. These updated packages upgrade the auditd daemon and its utilities to the newer upstream version 1.7.7, which provides the following enhancements over the previous version: * the auditctl program, which is used to control the behavior of the audit subsystem, now supports multiple keys in the audit rules. * a new utility, ausyscall, which is used to cross-reference syscall name and number information, is now provided in these updated packages. * the aureport program has been enhanced to provide reports about keys it sees in audit events. * event log parsing for the ausearch and aureport programs has been improved. * a sample STIG rules file, named "stig.rules", is newly provided in these updated packages. This file contains the auditctl rules which are loaded whenever the audit daemon is started by init scripts. In addition to the listed enhancements, these updated audit packages also include a new feature to allow a server to aggregate the logs of remote systems. The following instructions can be followed to enable this feature: 1. The audispd-plugins package should be installed on all clients (but need not be installed on the server), and the parameters for "remote_server" and "port" should be set in the /etc/audisp/audisp-remote.conf configuration file. 2. On the server, which aggregates the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf file must be set to the same port number as the clients. 3. Because the auditd daemon is protected by SELinux, semanage (the SELinux policy management tool) must also have the same port listed in its database. If the server and client machines had all been configured to use port 1000, for example, then running this command would accomplish this: semanage port -a -t audit_port_t -p tcp 1000 4. The final step in configuring remote log aggregation is to edit the /etc/hosts.allow configuration file to inform tcp_wrappers which machines or subnets the auditd daemon should allow connections from. Users of audit are advised to upgrade to these updated packages, which add these enhancements.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:57:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2008-05-12 12:56:10 EDT
Description of problem:
The audit package should be updated to the current development version in 5.3.
The major feature that this adds will be remote logging. There are a number of
other bug fixes in auparse and the audit event dispatcher as well as man page
updates.
Comment 1 RHEL Product and Program Management 2008-06-02 16:00:28 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Steve Grubb 2008-08-28 14:06:35 EDT
*** Bug 443792 has been marked as a duplicate of this bug. ***
Comment 6 Steve Grubb 2008-09-18 15:16:24 EDT
Audit 1.7.7 package was built to provide remote logging capabilities as well as many bug fixes.
Comment 8 Steve Grubb 2008-12-02 12:04:15 EST
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
This release of the audit package includes a new feature to allow remote log aggregation. Please note that its currently only a clear text protocol and not encrypted. To set this up on client machines, you will need to install the audispd-plugins package. Then you need to set the remote_server and port in the /etc/audisp/audisp-remote.conf file. The server that aggregates the logs does not need the plugins package installed. It should have the tcp_listen_port set to the same port as the clients in the /etc/audit/auditd.conf file. Then semanage needs to have the same port in its database since the audit daemon is protected by SE Linux. Assuming that you wanted the audit daemon listening on port 1000, you would run: semanage port -a -t audit_port_t -p tcp 1000. The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to allow the machines or subnets that the daemon should allow connections from. Please see the associated errata for the audit package to discover other new features.
Comment 10 Ryan Lerch 2008-12-08 02:05:57 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1 +1,15 @@
-This release of the audit package includes a new feature to allow remote log aggregation. Please note that its currently only a clear text protocol and not encrypted. To set this up on client machines, you will need to install the audispd-plugins package. Then you need to set the remote_server and port in the /etc/audisp/audisp-remote.conf file. The server that aggregates the logs does not need the plugins package installed. It should have the tcp_listen_port set to the same port as the clients in the /etc/audit/auditd.conf file. Then semanage needs to have the same port in its database since the audit daemon is protected by SE Linux. Assuming that you wanted the audit daemon listening on port 1000, you would run: semanage port -a -t audit_port_t -p tcp 1000. The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to allow the machines or subnets that the daemon should allow connections from. Please see the associated errata for the audit package to discover other new features.+The audit package contains user-space utilities for storing and searching the audit records generated by the audit subsystem in the kernel. The audit packages have been updated to the newer upstream version 1.7.7, which provides both enhancements and bug fixes over the previous audit packages.
+These updated audit packages add the following enhancements:
+
+    *
+      the audit system is now able to perform remote logging.
+    *
+      the auditctl utility now supports multiple keys in the audit rules.
+    *
+      a sample STIG rules file (stig.rules) which contains auditctl rules that are loaded whenever the audit daemon is started by init scripts is now provided as an example in these updated packages.
+    *
+      a new utility, ausyscall, has been added for the purpose of cross-referencing syscall name and number information.
+    *
+      aureport now provides a report about keys it sees in audit events.
+    *
+      the event log parsing for the ausearch and aureport programs has been improved.
Comment 13 Douglas Silas 2008-12-17 23:48:31 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,15 +1,27 @@
-The audit package contains user-space utilities for storing and searching the audit records generated by the audit subsystem in the kernel. The audit packages have been updated to the newer upstream version 1.7.7, which provides both enhancements and bug fixes over the previous audit packages.
-These updated audit packages add the following enhancements:
+The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.
 
-    *
+These updated packages upgrade the auditd daemon and its utilities to the newer upstream version 1.7.7, which provides the following enhancements over the previous version:
-      the audit system is now able to perform remote logging.
+
-    *
+* the auditctl program, which is used to control the behavior of the audit subsystem, now supports multiple keys in the audit rules.
-      the auditctl utility now supports multiple keys in the audit rules.
+
-    *
+* a new utility, ausyscall, which is used to cross-reference syscall name and number information, is now provided in these updated packages.
-      a sample STIG rules file (stig.rules) which contains auditctl rules that are loaded whenever the audit daemon is started by init scripts is now provided as an example in these updated packages.
+
-    *
+* the aureport program has been enhanced to provide reports about keys it sees in audit events.
-      a new utility, ausyscall, has been added for the purpose of cross-referencing syscall name and number information.
+
-    *
+* event log parsing for the ausearch and aureport programs has been improved.
-      aureport now provides a report about keys it sees in audit events.
+
-    *
+* a sample STIG rules file, named "stig.rules", is newly provided in these updated packages. This file contains the auditctl rules which are loaded whenever the audit daemon is started by init scripts.
-      the event log parsing for the ausearch and aureport programs has been improved.+
+In addition to the listed enhancements, these updated audit packages also include a new feature to allow a server to aggregate the logs of remote systems. The following instructions can be followed to enable this feature:
+
+	1. The audispd-plugins package should be installed on all clients (but need not be installed on the server), and the parameters for "remote_server" and "port" should be set in the /etc/audisp/audisp-remote.conf configuration file.
+
+	2. On the server, which aggregates the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf file must be set to the same port number as the clients.
+
+	3. Because the auditd daemon is protected by SELinux, semanage (the SELinux policy management tool) must also have the same port listed in its database. If the server and client machines had all been configured to use port 1000, for example, then running this command would accomplish this:
+
+	semanage port -a -t audit_port_t -p tcp 1000
+
+	4. The final step in configuring remote log aggregation is to edit the /etc/hosts.allow configuration file to inform tcp_wrappers which machines or subnets the auditd daemon should allow connections from.
+
+Users of audit are advised to upgrade to these updated packages, which add these enhancements.
Comment 14 errata-xmlrpc 2009-01-20 16:57:41 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0199.html

Note You need to log in before you can comment on or make changes to this bug.