Re: Comprehensive Lab: Recording Events and Monito...

JacquesW

In ch12s04:

When you get to point 11 in the solution you see the following:

Add a persistent Audit watch rule to generate Audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/ssh directory. Use sshd_config_monitor as the filter key on the Audit rule.

[root@servera ~]# cat /etc/audit/rules.d/audit.rules
...output omitted...
-w /etc/ssh -p wa -k sshd_config_monitor

But this is wrong, cause it is missing the r and x for read and execute in the permissions like stated in the question

the correct line should be in that case:

-w /etc/ssh -p rwxa -k sshd_config_monitor

JacquesW

It might be me, but also when I follow exactly what the solution states the grade script seems to fail on the 'check PAM configuration' in this chapter. I have a feeling it might be happening on the ucredit check, cause when I run this manually this is the only check from the check script that just fails.

JacquesW

Yes it is the ucredit = -1 check that lets it fail. I removed it from the /home/student/.venv/labs/libs/python3.9/site-packages/rh415/compreview-aide.py and then it goes through without issues.

Chetan_Tiwary_

@JacquesW You are right about the error regarding the audit rules , I will check and report it for rectification. But surprising why ucredit -1 is not working.

JacquesW

To test my own sanity I followed the solution from beginning to end and it kept failing on the same spot. Also when I test the grep command for the ucredit on the machine I will get a null result, until I remove the $ sign at the and of the grep line, then it seems to work fine on the server. I have not tested it in combination with ssh servera grep -e etc.... but I suspect that it will work then. Anyway, it was something I also noticed

Chetan_Tiwary_

ok thanks, I will check that too!

Comprehensive Lab: Recording Events and Monitoring File-system Changes with PAM, Audit, and AIDE