Audit Lab issues about securitydemos HOT 25 CLOSED

regarding the "no file" error from tps_report, perhaps preceding vi command should instruct to use :wq instead of :q! to exit? (that way everything works)

from securitydemos.

@stevegrubb and @rgbriggs please take a look at this issue

from securitydemos.

At section 6.2.1 there is step 3 to edit audit config, however the configuration file present in snapshot is already updated per the commands so the editing (and subsequent reload/restart of daemon) is quite needless.

from securitydemos.

* Lab 6.1 the password for auditlab user is not specified (turns out it is the usual r3dh4t1!) but it is requested to login from the workstation countrary to instructions.

+1 on auditlab user asking for password

from securitydemos.

Section 6.2.1:
Fix the_audit.example.com_ string to the _audit.example.com_

from securitydemos.

At section 6.2.1 there is step 3 to edit audit config, however the configuration file present in snapshot is already updated per the commands so the editing (and subsequent reload/restart of daemon) is quite needless.

It looks like this is actually the default configuration for auditd.conf.

from securitydemos.

The title says Red Hat Enterprise Linux 7.5 even though the lab is run entirely in RHEL8. Suggest to remove the specific version 7.5.

As I understood Summit is mainly promoting RHEL8 whenever possible.

from securitydemos.

from securitydemos.

Pull request #121 was opened to fix some of the things pointed out here.

from securitydemos.

Pull request #121 was opened to fix some of the things pointed out here.

Why did you drop the change from "killall ..." to "service audit reload" in the last of those three patches that went into the PR? (I had most of these fixes queued... I'll diff and see if any remain.)

from securitydemos.

Pull request #121 was opened to fix some of the things pointed out here.

Why did you drop the change from "killall ..." to "service audit reload" in the last of those three patches that went into the PR? (I had most of these fixes queued... I'll diff and see if any remain.)

Because using the service command is the way that we tell everyone to use the audit system.

from securitydemos.

@stevegrubb When you say (lines 26-27): "If done correctly, you should not need to enter a password." What is the correct way? Should there be no password on root and auditlab, or should it use the pre-installed ssh key? I'm now assuming you were talking about getting in to the bastion workstation, but still need a password to get into audit.example.com.

from securitydemos.

@stevegrubb When you say (lines 26-27): "If done correctly, you should not need to enter a password." What is the correct way? Should there be no password on root and auditlab, or should it use the pre-installed ssh key?

Paul wrote that - not me. :-) It also seemed to work for me so I didn't change it. I think it uses the pre-installed key.

from securitydemos.

from securitydemos.

from securitydemos.

On 2019-04-15 14:36, Steve Grubb wrote: > > Why did you drop the change from "killall ..." to "service audit reload" in the last of those three patches that went into the PR? (I had most of these fixes queued... I'll diff and see if any remain.) Because using the service command is the way that we tell everyone to use the audit system.
Sorry, I don't follow. The last patch that ended up in the pull request does not have the switch to "service audit reload"

I guess that was missed by mistake. Service is preferable.

from securitydemos.

These are mostly nitpics I found in latest trial:

• is there a reason for RHEL7.5 ? If yes, this should be explained. If not, we can say "but it does not matter, audit is the same as on RHEL8.0" or something. Basically acknowledging it's using not up-to-date system
• shouldn't service command be replaced by systemctl?
• shouldn't grub2-mkconfig be replaced by grubby?

from securitydemos.

from securitydemos.

For audit, service is a required command. We cannot move to systemctl. You will find systemctl is blocked for many audit tasks.

As for grub2-mkconfig vs grubby...I've always used grub2-mkconfig since it comes with the bootloader. They ought to work together.

from securitydemos.

@stevegrubb and @rgbriggs : is this issue now resolved?

from securitydemos.

@stevegrubb and @rgbriggs : is this issue now resolved?

Looks like it says 8.0 now. I suppose that could be changed to simply 8.

from securitydemos.

@stevegrubb , not sure what you mean by 8.0 vs 8. Is this still an issue that needs to remain open for fixes or can I close this issue?

from securitydemos.

I think the concern mentioned above is that the content mentions 8.0 which is version specific. When 8.1 ships, will this content still be correct? By deleting the ".0" it makes it generic for all releases of RHEL 8.

from securitydemos.

@lkerner, I submitted a pull request. I think issue can be closed when that is merged.

from securitydemos.

Thanks @stevegrubb . Closing issue based on pull request #194 by @stevegrubb .

from securitydemos.