Submit
Adding different methods to submit the audit results. This is work in progress.
rsyslog
The basic idea is, run the audit script from crontab once a week (YMMV), send to syslog, syslog will send to
central location, collect on central location and submit via URL (YMMV), sidenote the centos default cli tool is
curl not wget. You could gpg the xml instead of gzip:
zip
This needs to be inserted below the if block with the url submit. And you have to add the definition of the variable
at the begining of the script.
# submit the audit to the syslog in zip format
submit_syslog_zip="y"
if [ "$submit_syslog_zip" = "y" ]; then
sed -i -e 's/+/%2B/g' "$xml_file"
if [ "$debugging" -gt 1 ]; then
echo "Submitting results to syslog compressed."
fi
# zip the xml file (smaller size)
gzip -c "$xml_file" > "$xml_file.gz"
# add header to the output
echo "-----BEGIN OPENAUDIT BASE64 MESSAGE-----" > "$xml_file.gz.txt"
# base64 encode the file (only ascii data to transmit, no binary)
base64 "$xml_file.gz" >> "$xml_file.gz.txt"
# add tail to the output
echo "-----END OPENAUDIT BASE64 MESSAGE-----" >> "$xml_file.gz.txt"
# check sum of the original file as id into logger
syslog_tag=$( cksum "$xml_file" | awk -F' ' '{ printf "%x",$1 }' )
# write the file to syslog
logger -t "openaudit[$syslog_tag]" -f "$xml_file.gz.txt"
# remove the leftovers
rm -f "$xml_file.gz.txt" "$xml_file.gz"
fi
gpg
For the gpg version you need to generate the public/private if you don't have one) and distribute it to
the clients which will submit the audits. This is what I went through and you might read it to get the full experience:
- can’t connect to /root/.gnupg/S.gpg-agent
- Good read lot's to learn, notice the unreasonable idiot for bonus points.
To generate the keypair on centos running in vm with no previous setup do the following:
gpg-agent --daemon --use-standard-socket|sh
gpg --gen-key
In the vm to get enough entropy might be a pain. Generate some traffic open another ssh session to the
server which runs the gen key and in my case running tcpdump with a redirect to a file has helped. Be
prepared this might be a pain, for me, it was. The gpg_recipient email you'll see down the page "gro.tiduanepo|tidua.nepo#gro.tiduanepo|tidua.nepo"
is entered as the email for the key. It's for demo purposes ! You MUST change it to something else !
Afterwards you need to distribute the key. Look into another section on this web with those setup scripts.
# submit the audit to the syslog in gpg encrypted format
submit_syslog_gpg="y"
gpg_recipient="open.audit@openaudit.org"
if [ "$submit_syslog_gpg" = "y" ]; then
sed -i -e 's/+/%2B/g' "$xml_file"
if [ "$debugging" -gt 1 ]; then
echo "Submitting results to syslog encrypted."
fi
# add header to the output
echo "-----BEGIN OPENAUDIT GPG $gpg_recipient MESSAGE-----" > "$xml_file.gpg.txt"
# gpg the xml file (smaller size and encrypted)
gpg --armor --output "$xml_file.gpg" --encrypt --recipient "$gpg_recipient" "$xml_file"
cat "$xml_file.gpg" >> "$xml_file.gpg.txt"
# add tail to the output
echo "-----END OPENAUDIT GPG $gpg_recipient MESSAGE-----" >> "$xml_file.gpg.txt"
# check sum of the original file as id into logger
syslog_tag=$( cksum "$xml_file" | awk -F' ' '{ printf "%x",$1 }' )
# write the file to syslog
logger -t "openaudit[$syslog_tag]" -f "$xml_file.gpg.txt"
# remove the leftovers
rm -f "$xml_file.gpg" "$xml_file.gpg.txt"
fi
curl
Retrieve
syslog
There are some things to mention. The ID in the openaudit[…] is the cksum converted to hex. I did want to use the uuid from the xml/system
but there was
- no assurance that the uuid will be populated
- the length of the tag in syslog is 32 characters (in the local syslog of rsyslog it's ok to have it longer but the rsyslog withoud further config will abide to RFC and send max 32 chars. To simplify things I have decided to use the short sum produced by cksum and converted to hex. (no idea why cksum can't produce hex output on centos and thanks god for awk)
To retrieve the data from the central syslog use grep. To get you started the list of available audits submitted through syslog can be listed:
Command
grep "openaudit\[[a-f0-9]*\]:" /var/log/messages | awk -F' ' '{print $4,$5}' | sort | uniq
Output
openaudit openaudit[62d1058f]:
openaudit openaudit[d7e78788]:
You might get several entries for the same machine, so further code is required to get the list for the particular machine (openaudit here) and then sort it
based on date and pick the most recent one or pick the appropriate order if you want to preserve the timeline of changes.
Command
grep "openaudit openaudit\[[a-f0-9]*\]:" /var/log/messages | sed -f month_name2num.sed | awk -F' ' '{print $1 $2 $3 $5}' | sort | uniq
month_name2num.sed
s/^Jan/01/
s/^Feb/02/
s/^Mar/03/
s/^Apr/04/
s/^May/05/
s/^Jun/06/
s/^Jul/07/
s/^Aug/08/
s/^Sep/09/
s/^Oct/10/
s/^Nov/11/
s/^Dec/12/
Output
011810:08:27openaudit[d7e78788]:
011810:19:51openaudit[62d1058f]:
zip
Example output from /var/log/messages
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN OPENAUDIT BASE64 MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: H4sICAt4T1QAA29wZW5hdWRpdC0yMDE1MDExODMwMDgyMi54bWwA7F1bk9u2kn5OfWXWT8mpBXjX
Jan 18 10:08:27 openaudit openaudit[d7e78788]: xTVR1rHjJLXx2pm1k5ytVEo...
...
Jan 18 10:08:27 openaudit openaudit[d7e78788]: EfrurBosxsnB9kv/yUjnGGwkUDzUGQZb5QtHrREnvfKWq9XVKvfjq2ixWOrRX/rQUKPBCpliC77O
Jan 18 10:08:27 openaudit openaudit[d7e78788]: MNizY2EG+/VXo7f3ylrdS3ZqwZYfv/ofNtWvJ56MAQA=
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END OPENAUDIT BASE64 MESSAGE-----
gpg
Example output from /var/log/messages
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN OPENAUDIT GPG open.audit@openaudit.org MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----BEGIN PGP MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: Version: GnuPG v2.0.14 (GNU/Linux)
Jan 18 10:08:27 openaudit openaudit[d7e78788]:
Jan 18 10:08:27 openaudit openaudit[d7e78788]: hQEMAzYAhJ8HnLQEAQgAkId3OnYJ8rRjZLXWZzU1vbbKuFNcD5SrcBPL/cccq35T
Jan 18 10:08:27 openaudit openaudit[d7e78788]: w6II/Brf8DpnsHwbwzLtw+/J5ovlF1ILsQdUNIdUj4tNrYcRTmgpqQ5P19Jw38Zm
...
Jan 18 10:08:27 openaudit openaudit[d7e78788]: ToRlcSXoG46J5Yt3N5IVbfWIJ2HEWEb3AWZpiz9vNFRWj/5WcdzMimnVRXHNatlQ
Jan 18 10:08:27 openaudit openaudit[d7e78788]: uhRWKLHZd32MtZ4UeUv8ilzNjc4=
Jan 18 10:08:27 openaudit openaudit[d7e78788]: =14J4
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END PGP MESSAGE-----
Jan 18 10:08:27 openaudit openaudit[d7e78788]: -----END OPENAUDIT GPG open.audit@openaudit.org MESSAGE-----