Sentinel 7.1
Plugin Red-Hat_Enterprise-Linux_2011.1r2
I am setting up RHEL6.5 Linux to Sentinel auditing for the first time.
I have installed both LAF and WTMP on the observer.
I am seeing events coming from RHEL into Sentinel.

All our users ssh to the RHEL servers and authenticate over PAM and then
sudo to either root or other users.
On top of the stuff in the doco I have added the following to
-w /etc/sudoers -p wa
If I ssh to the server as FSMITH then sudo to root and then modify
/etc/sudoers I see a number of LAF events when I search for RHEL events
including "Syscall chmod, open and rename" and some related Unparsed
Events all showing the user as root.

I ran a raw data tap on the Collector which shows one event that
includes the following where FSMITH is the user who sudo'd to root and
changed the file:
op=\"updated rules\" path=\/etc\/sudoers

However this does not appear to make it past the Collector.
I have run the Collector in Debug Mode (this is the first time I'm doing
this) and can see all the data from this event however SEND_EVENT does
not get set to True however I'm not sure if Im looking at the right

Im pulling my hear out (oh I dont have any left).

Any help with this issue would be greatly appreciated.

Thanks in advance.

aaronsayer's Profile:
View this thread: