Beta Branch add tools/auditd.sh for auditd logging setup in 123.09beta01

add tools/auditd.sh for auditd logging setup in 123.09beta01

currently disabled while testing

---

Continue reading...

123.09beta01 branch

• Branch: https://github.com/centminmod/centminmod/tree/123.09beta01
• Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

 

It's still work in progress hence why i disabled it by default as haven't decided on how i want the regular maintenance to be. Auditd has a few niggling issues like it will stop adding additional auditd rules if it hits a rule it doesn't like i.e. if the rule is to watch and monitor a directory or file that doesn't exist at the time of adding the rule. So you don't want auditd to be merging in new auditd rules when a directory doesn't exist and have to think carefully about which files/directories you want to monitor.

auditd has ausearch, auditctl commands which work on /var/log/audit/audit.log etc. So you need to learn how to use those commands and i won't provide support for that. I will have a sticky thread for info links which i'll post below too

How to use and interpret the auditd provided logs is left to end user as there's no support provided by me. The official Redhat documentation applies to CentOS as well so a starting point would be here.

• CentOS 6 Auditd Documentation
• CentOS 7 Auditd Documentation

Then there's a few guides online

• How To Use the Linux Auditing System on CentOS 7 | DigitalOcean
• How To Write Custom System Audit Rules on CentOS 7 | DigitalOcean
• Auditd - Tool for Security Auditing on Linux Server
  
• How to monitor file access on Linux with auditd - Xmodulo
  
• Linux audit files to see who made changes to a file
• ausearch
• auditctl

auditd doesn't touch MariaDB. But tools/auditd.sh also has a 2nd component to optionally install (disabled by default) MariaDB's on Audit Plugin

The linked guides have plenty of examples

 

as to MariaDB Audit Plugin overhead, you'd have to try and see yourself

I'd updated it to just log connect and query_dml (INSERT/UPDATES) so an example when i used MySQL/MariaDB's native mysqlslap command to generate some sql workload and sql file

Code (Text):

Database Name ? sbtest
Drop Database If Exists ? y/n: y
Which Storage Engine ? innodb
Number of Secondary Indexes ? 4
Number of Int Col ? 4
Number of Char Col ? 4
Number of Queries ? 1000
mysqlslap.sql created
-rw-r--r--   1 root root 388K Oct  9 20:45 mysqlslap.sql
+------------+----------------+----------------+-----------+------------+--------+
| Table Name | Number of Rows | Storage Engine | Data Size | Index Size | Total  |
+------------+----------------+----------------+-----------+------------+--------+
| sbtest.t1  | 644 Rows       | InnoDB         | 0.02MB    | 0.06MB     | 0.08MB |
+------------+----------------+----------------+-----------+------------+--------+

Code (Text):

tail -6 /var/lib/mysql/server_audit.log
20161009 20:45:59,host.domain.com,root,localhost,6,1758,QUERY,sbtest,'INSERT INTO t1 VALUES (NULL,uuid(),uuid(),uuid(),uuid(),166730292,284589771,1502859928,1209427991,\'BFb8ySFkYGWQmhKxeRC55ORSNWGbLceYsEhiaoIy4gOiMlfs4rxA7GeMnmp0ESZ6a6g8mz7jXNPt85mDwbN4ktIXf8XlcwkAuOAZF9GnZZYZeAmRm1NWuhtPpG3P5n\',\'RrBWOJXYy46WWkhG3JAQhw8QEpaH7f4QN7wfISCGOInuuK3qX5G41GM76wG5SCXrKKMWgan4kQrXmmL9rTDkmbskN8prLCaZYx3CNiH880XumsvTL8Dzbxbz6GiJTH\',\'k16n6TMFdWF8HtsCM6DRxoPZfNhEiAXQ4T5AyRPSyYS7PLJfJO6G5XpkuXycZLuTqsfhBw91Sd8lqSO9sXQx27apWOHweCPKw517t29EgHzMdGYMnyJhxlWS2gOgsp\',\'0gmunYwwmSEdrrtFDg5PE22cM4Gek0Kdg6XSWJGGoWuXEneJKjcQlf20jBeKBypkxK4RXKkBrWax9CGTvlvZOqZz13BC20orCsIcDunwGMtQa1vMmjn2ZKuaFxe9yR\')',0
20161009 20:45:59,host.domain.com,root,localhost,6,0,DISCONNECT,sbtest,,0
20161009 20:45:59,host.domain.com,root,localhost,7,0,CONNECT,,,0
20161009 20:45:59,host.domain.com,root,localhost,7,1760,QUERY,,'select @@version_comment limit 1',0
20161009 20:45:59,host.domain.com,root,localhost,7,1761,QUERY,,'SELECT CONCAT(table_schema,\'.\',table_name) AS \'Table Name\', CONCAT(ROUND(table_rows,2),\' Rows\') AS \'Number of Rows\',ENGINE AS \'Storage Engine\',CONCAT(ROUND(data_length/(1024*1024),2),\'MB\') AS \'Data Size\',CONCAT(ROUND(index_length/(1024*1024),2),\'MB\') AS \'Index Size\' ,CONCAT(ROUND((data_length+index_length)/(1024*1024),2),\'MB\') AS\'Total\'FROM information_schema.TABLES WHERE table_schema LIKE \'sbtest\'',0
20161009 20:45:59,host.domain.com,root,localhost,7,0,DISCONNECT,,,0

 

tools/auditd.sh details posted Centmin Mod Auditd Support Added In Latest 123.09beta01 | Centmin Mod Community

discussion thread at Beta Branch - tools/auditd.sh discussion thread for 123.09beta01 | Centmin Mod Community