Audit

Submit

Adding different methods to submit the audit results. This is work in progress.

rsyslog

The basic idea is, run the audit script from crontab once a week (YMMV), send to syslog, syslog will send to
central location, collect on central location and submit via URL (YMMV), sidenote the centos default cli tool is
curl not wget. You could gpg the xml instead of gzip:

zip

This needs to be inserted below the if block with the url submit. And you have to add the definition of the variable
at the begining of the script.

# submit the audit to the syslog in zip format
submit_syslog_zip="y"

if [ "$submit_syslog_zip" = "y" ]; then
        sed -i -e 's/+/%2B/g' "$xml_file"
        if [ "$debugging" -gt 1 ]; then
                echo "Submitting results to syslog compressed."
        fi
        # zip the xml file (smaller size)
        gzip -c "$xml_file" > "$xml_file.gz"
        # add header to the output
        echo "-----BEGIN OPENAUDIT BASE64 MESSAGE-----" > "$xml_file.gz.txt" 
        # base64 encode the file (only ascii data to transmit, no binary)
        base64  "$xml_file.gz" >> "$xml_file.gz.txt"
        # add tail to the output
        echo "-----END OPENAUDIT BASE64 MESSAGE-----" >> "$xml_file.gz.txt"               
        # check sum of the original file as id into logger
        syslog_tag=$( cksum "$xml_file" | awk -F' ' '{ printf "%x",$1 }' )
        # write the file to syslog
        logger -t "openaudit[$syslog_tag]" -f "$xml_file.gz.txt"
        # remove the leftovers
        rm -f "$xml_file.gz.txt" "$xml_file.gz"
fi

gpg

For the gpg version you need to generate the public/private if you don't have one) and distribute it to
the clients which will submit the audits. This is what I went through and you might read it to get the full experience:

To generate the keypair on centos running in vm with no previous setup do the following:

gpg-agent --daemon --use-standard-socket|sh
gpg --gen-key

In the vm to get enough entropy might be a pain. Generate some traffic open another ssh session to the
server which runs the gen key and in my case running tcpdump with a redirect to a file has helped. Be
prepared this might be a pain, for me, it was. The gpg_recipient email you'll see down the page "gro.tiduanepo|tidua.nepo#gro.tiduanepo|tidua.nepo"
is entered as the email for the key. It's for demo purposes ! You MUST change it to something else !

Afterwards you need to distribute the key. Look into another section on this web with those setup scripts.

# submit the audit to the syslog in gpg encrypted format
submit_syslog_gpg="y"
gpg_recipient="open.audit@openaudit.org"

if [ "$submit_syslog_gpg" = "y" ]; then
        sed -i -e 's/+/%2B/g' "$xml_file"
        if [ "$debugging" -gt 1 ]; then
                echo "Submitting results to syslog encrypted."
        fi
        # add header to the output
        echo "-----BEGIN OPENAUDIT GPG $gpg_recipient MESSAGE-----" > "$xml_file.gpg.txt" 
        # gpg the xml file (smaller size and encrypted)
        gpg --armor --output "$xml_file.gpg" --encrypt --recipient "$gpg_recipient" "$xml_file"
        cat "$xml_file.gpg" >> "$xml_file.gpg.txt"  
        # add tail to the output
        echo "-----END OPENAUDIT GPG $gpg_recipient MESSAGE-----" >> "$xml_file.gpg.txt"               
        # check sum of the original file as id into logger
        syslog_tag=$( cksum "$xml_file" | awk -F' ' '{ printf "%x",$1 }' )
        # write the file to syslog
        logger -t "openaudit[$syslog_tag]" -f "$xml_file.gpg.txt"
        # remove the leftovers
        rm -f "$xml_file.gpg" "$xml_file.gpg.txt"         
fi

curl

mail

Retrieve

syslog

There are some things to mention. The ID in the openaudit[…] is the cksum converted to hex. I did want to use the uuid from the xml/system
but there was

  • no assurance that the uuid will be populated
  • the length of the tag in syslog is 32 characters (in the local syslog of rsyslog it's ok to have it longer but the rsyslog withoud further config will abide to RFC and send max 32 chars. To simplify things I have decided to use the short sum produced by cksum and converted to hex. (no idea why cksum can't produce hex output on centos and thanks god for awk)

To retrieve the data from the central syslog use grep. To get you started the list of available audits submitted through syslog can be listed:

Command

grep "openaudit\[[a-f0-9]*\]:" /var/log/messages | awk -F' ' '{print $4,$5}' | sort | uniq

Output

openaudit openaudit[62d1058f]:
openaudit openaudit[d7e78788]:

You might get several entries for the same machine, so further code is required to get the list for the particular machine (openaudit here) and then sort it
based on date and pick the most recent one or pick the appropriate order if you want to preserve the timeline of changes.

Command

grep "openaudit openaudit\[[a-f0-9]*\]:" /var/log/messages | sed -f month_name2num.sed | awk -F' ' '{print $1 $2 $3 $5}' | sort | uniq

month_name2num.sed

s/^Jan/01/
s/^Feb/02/
s/^Mar/03/
s/^Apr/04/
s/^May/05/
s/^Jun/06/
s/^Jul/07/
s/^Aug/08/
s/^Sep/09/
s/^Oct/10/
s/^Nov/11/
s/^Dec/12/

Output

011810:08:27openaudit[d7e78788]:
011810:19:51openaudit[62d1058f]:

zip

Example output from /var/log/messages

Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN OPENAUDIT BASE64 MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: H4sICAt4T1QAA29wZW5hdWRpdC0yMDE1MDExODMwMDgyMi54bWwA7F1bk9u2kn5OfWXWT8mpBXjX
Jan 18 10:08:27 openaudit openaudit[d7e78788]: xTVR1rHjJLXx2pm1k5ytVEo...
...
Jan 18 10:08:27 openaudit openaudit[d7e78788]: EfrurBosxsnB9kv/yUjnGGwkUDzUGQZb5QtHrREnvfKWq9XVKvfjq2ixWOrRX/rQUKPBCpliC77O
Jan 18 10:08:27 openaudit openaudit[d7e78788]: MNizY2EG+/VXo7f3ylrdS3ZqwZYfv/ofNtWvJ56MAQA=
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END OPENAUDIT BASE64 MESSAGE-----

gpg

Example output from /var/log/messages

Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN OPENAUDIT GPG open.audit@openaudit.org MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN PGP MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: Version: GnuPG v2.0.14 (GNU/Linux)
Jan 18 10:08:27 openaudit openaudit[d7e78788]:
Jan 18 10:08:27 openaudit openaudit[d7e78788]: hQEMAzYAhJ8HnLQEAQgAkId3OnYJ8rRjZLXWZzU1vbbKuFNcD5SrcBPL/cccq35T
Jan 18 10:08:27 openaudit openaudit[d7e78788]: w6II/Brf8DpnsHwbwzLtw+/J5ovlF1ILsQdUNIdUj4tNrYcRTmgpqQ5P19Jw38Zm
...
Jan 18 10:08:27 openaudit openaudit[d7e78788]: ToRlcSXoG46J5Yt3N5IVbfWIJ2HEWEb3AWZpiz9vNFRWj/5WcdzMimnVRXHNatlQ
Jan 18 10:08:27 openaudit openaudit[d7e78788]: uhRWKLHZd32MtZ4UeUv8ilzNjc4=
Jan 18 10:08:27 openaudit openaudit[d7e78788]: =14J4
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END PGP MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END OPENAUDIT GPG open.audit@openaudit.org MESSAGE-----
page revision: 8, last edited: 18 Jan 2015 10:50
Edit Rate (0) Tags History Files Print Site tools + Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.