Security :: Setting Up Several Keys In Audit.rules File?

Mar 16, 2011

I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:

Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.

[code]....

View 8 Replies


ADVERTISEMENT

Security :: Audit.rules Does Not Retain Certain Settings After Reboot Or Service Restart?

Jan 11, 2011

I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.

View 6 Replies View Related

Red Hat :: Excluding Unlink To A Particular File In Audit.rules?

Apr 11, 2011

I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?

View 1 Replies View Related

Red Hat / Fedora :: Excluding Unlink To A Particular File In Audit.rules?

Apr 11, 2011

I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?

View 1 Replies View Related

Security :: Setting Iptables Rules

Jan 27, 2011

I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.

View 2 Replies View Related

Ubuntu Security :: Setting IPTable Rules For FTP Server?

Jun 22, 2011

I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?

View 3 Replies View Related

Server :: Audit System Is In Immutable Mode - No Rules Loaded

Nov 23, 2010

I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...

Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded

A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)

View 4 Replies View Related

Ubuntu Security :: IPTables - Setting Default Rules To All Chains As DROP

Jun 30, 2010

I've read the instruction about setting up the iptables rules to filter all port except HTTP, SSH, FTP. I require first remove all default iptables rules and set default rules to all chains as DROP:
# Set default-deny policies for all three default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

Then allow only some ports:
#Accept inbound packets that are part of previously-OK'ed sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Accept inbound packets which initiate FTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate HTTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Log anything not accepted above $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"

But I hired a VPS from other country so the only mean I can manage it is via SSH. If I setup the default rule to DROP first, I afraid that I can no longer connect via SSH to tell iptables allow SSH
So my question is:
- Does the IP tables take effect immediately after I input a rule?
- Is there any mean to run this as a batch job (create a script and run all these rules one time).
- My VPS has a web control panel which have a terminal via web. Is this a native terminal or just a connection via port 80 or 22?

View 9 Replies View Related

Ubuntu Security :: Setting Up Keys For Ssh For Multiple Users?

Jan 30, 2011

Ubuntu 10.10 Server is loaded. Openssh has been loaded.

I have multiple users which need access to server via ssh.

My impression from reading about ssh is that a key needs generated for each person. Thus, each key will have a passphrase that is unique to them.

In /etc/ssh/sshd_config, the default sshd_config suggest using:

%h/.ssh/authorized_keys

My assumption is %h is a variable that will allow the current user to use the public key stored in his home directory under the .ssh folder in a file called authorized_keys. Is their a command string that automatically populates the authorized_keys file?

I am surprised that even though there are a number of hidden (e.g. .****) files located in the home folder, there is not one automatically generated as .ssh. It appears I have to create that directory myself. I am especially surprised by this since it appears the instructions for generating a key seems to load the key in the home directory instead of proceeding to create a .ssh folder to store the keys in.

It is not clear, but it appears that the public key needs to be copied or appended to the authorized_keys file, but, using the scheme above, the public key needs to be copied or appended to each users authorized_keys file instead of appending all public keys to a single authorized_keys location.

It then appears that each persons authorized_keys file needs permissions set to 600.

It also appears that if I decide to use RSA instead of DSA, I would do the same thing above but would use authorized_keys2 file instead.

Why doesn't the home folder which gets automatically set up for each user automatically get a .ssh folder generated? i.e Why does it have to be created by hand? Does it need the same permission on the .ssh folder? ie 600?

My aim is to allow many to log on via ssh simultaneously and then allow many to simultaneously vnc into their respective gnome desktops.

View 6 Replies View Related

OpenSUSE :: Add / Setting -auth -audit In X Server

May 21, 2010

I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.

View 1 Replies View Related

Ubuntu :: Can't Create File /etc/udev/rules.d/70-android.rules?

Jun 19, 2011

I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf

View 2 Replies View Related

Security :: Audit DAEMON_START DAEMON_STOP?

Aug 24, 2010

When the audit daemon starts and stops, I see DAEMON_START DAEMON_STOP in the audit log. I don't see a rule in audit.rules about logging this event. So, I'm guessing that it's a rule that's built into the audit daemon. Can you confirm this?Also, I've been looking for a explanation of the event types that the audit daemon logs, such as: USER_AUTH, USER_ACCT, CRED_ACQ. If you know of any docs that explain this,

View 2 Replies View Related

Security :: Audit Compilation :audit_tty_status Missing?

Jun 7, 2010

Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux

View 2 Replies View Related

Security :: Audit Daemon Is Not Suspending When /var Partition Is Full?

Aug 20, 2010

I ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition.Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?

View 4 Replies View Related

Security :: Change Location Of Stored Audit Files?

May 5, 2011

We have setup a separate partition to keep our audit files, but I am at a loss to figure out how to redirect the log files to be stored there instead of the default.

I am sure it is a simple matter but I have been unable to locate the information.

View 1 Replies View Related

Security :: Setting File Permissions For File /var/log/Xorg.0.log?

Jul 7, 2009

i am trying to set the file permissions for the log files "/var/log/Xorg.0.log" and "/var/log/gdm/:0.log". These files seem to be created when a user logs into a whokstation (my guess so far). I am trying to comply with a security mandate that all log files in the directory /var/log are set to 0640. The two mentioned files always seem to have the permissions 0644, does anyone know where and when these filea are created and how I might set the permissions when the files are created

View 1 Replies View Related

Ubuntu Security :: Snort Not Starting - ERROR: "/etc/snort/rules/exploit.rules(264) => 'fast_pattern' Does Not Take An Argument"

May 12, 2011

I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode

[Code]...

View 2 Replies View Related

Debian :: Setting Up Grub Against The Rules?

Feb 11, 2011

Since I have been using grub-legacy in quite an unorthodox manner, and ironically, getting benefits that an otherwise obedient user wouldn't even dream of getting, this question may, most probably, pose a challenge to all those who don't understand the filthy tricks of grub. So, here I am, trying to install grub, in a manner, that makes it independent of all operating systems on my computer. As I understand it, a bootloader is so important, especially when it is used to boot multiple OSs, that I deem it mandatory for it to be installed in a manner making it independent of all operating systems it is used for.

What I did till now:I have a 24 Mega Byte partition to which I copied /boot/grub/*I run the command: # grub-install --root-directory=/mounted-partition-holding-the-copied-files '(hd0)'Grub boots, but the menus are not displayed presenting me with a cute shell with limited commands. My next strategy in this battle, is to copy the device.map and grub.cfg files from a working installation - a sort of a heart transplant.

View 14 Replies View Related

OpenSUSE Network :: Audit Original User That Changed File After Su?

Jul 22, 2010

Need to track which users are making changes to production files. I have a small number of administrators with access to su, but need to be able to identify which administrator is making changes to which files after they have su.I have read several post and articles regarding auditd tool, but it is not clear to me whether this tool can generate a log that shows the original user and file being altered.

View 3 Replies View Related

Ubuntu Security :: Security, Passwords & Encryption Keys?

Jun 7, 2011

I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:

1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?

2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.

3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?

4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?

5)give me links to fairly current documentation on this stuff?

6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.

View 9 Replies View Related

Security :: Security Of OpenVPN With Premade Keys?

Jan 2, 2010

Im a total beginner when it comes cryptography and networking. Finally managed to create a connection with OpenVPN on Ubuntu to a vpn provider called ivacy. On this page:http://ivacy.com/en/doc/user/setup/winxp_openvpn they give configuration files and keys, which I used. The question is, if someone wanted to see my network traffic, could they do it using the keys provided on that page. Reading the OpenVPN documentation i saw that it is also possible to create your own keys. Would that be more secure?

View 10 Replies View Related

General :: Setting Up Flux Keys?

Jan 15, 2010

finishing ultimate debian fluxbox chromium mini distroand need to configure fluxbox keys like Crunchbang's conkyrc belowHow exactly do i do it without messing something up?

Code:
##############################################
# Output
##############################################

[code]....

View 1 Replies View Related

Ubuntu Security :: What Is Best General Ufw Rules

Jun 9, 2010

I googled this question, no relevant results. I don't samba, ssh, or any P2P file sharing. Is udp neccesary for general web browsing/file downloading? What would be the best general ufw rules to set for above conditions and varying ip address? I know how to use the full ufw syntax in command line.

View 5 Replies View Related

Security :: Rules Be Quite Fine From The FC-Repo?

Dec 21, 2010

on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock. SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid. Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened. As I'm completely new to SELinux - I'd like to get some help setting the Security Rules. PS: Should the rules be quite fine from the FC-Repo?

View 11 Replies View Related

Security :: Iptable Rules For Dns And Snmp

Jan 27, 2011

I have a caching dns and SNMP ( MRTG ) both on the same server how can I permit dns and snmp traffic in INPUT chain?? I have tried the following:

iptables -A INPUT -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 1024:65535 --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp --sport 161:162 --dport 1024:65535 -j ACCEPT

View 1 Replies View Related

Security :: Programming Iptables Rules For 1:1 NAT?

Sep 16, 2010

I am trying to program iptable rules for implementing a 1:1 NAT which does the following:

1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip

I did some google searches for the same, and came up with the following.

iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT

View 15 Replies View Related

Security :: What Are Strong Iptables Rules?

Mar 31, 2011

Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.

View 1 Replies View Related

Fedora Security :: How Iptables Knows At What Interfaces To Use Rules

May 3, 2009

When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.

View 2 Replies View Related

Fedora Security :: FC15 And Iptable Rules ?

Jul 16, 2011

I don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.

Code:

what do you think about the new rules and their order?

View 5 Replies View Related

Ubuntu Security :: Clarification On Firewall Rules?

May 9, 2010

I have a set of iptables rules generated by Firestarter, and i'm in the process of trying to familiarise myself with iptables itself, but there's one particular rule which is confusing me, perhaps somebody could explain it to me

My INPUT chain reads as follows:

Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- cdns01.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- cdns01.plus.net anywhere
ACCEPT tcp -- cdns02.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN

[Code]...

Given that the firewall is actually blocking packets, it can't be this simple, so what am I missing?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved