Small scripts to help with weekly audit requirements on networks with just a few Linux systems that are easier to audit by hand than figure out a big, complicated SIEM. Satisfies numerous NIST SP 800-53r4 controls under CNSS or JSIG.
Problem: each logger command creates a new audit event on systems that watch use of that command, causing a feedback loop.
Suggestion: write summarized logs to a dedicated log file with rotation into /var/log/audit. Also, generate an interpreted output that has record separators along with a AWS CloudWatch agent using multi-line record separators ('----').
CNSS and JSIG require that audit records be kept for any files read from removable media or written to removable media. USB thumb drives and portable hard drives are the biggest culprit as all optical media uses ISO files already covered by the script. Auto-mounted and user-mounted file systems performed after boot should be the only drives reviewed.
Review the history of audit records on this system and estimate how many days of storage are online given the current audit volume over time. Warn the user if audit records are likely to roll over or if disks will fill up.
pam_tally was used on RHEL 5. RHEL 6 updated to pam_tally2. By RHEL 7 all of them were deprecated because requirements became per user. pam_faillock was created to fulfill the need. I'd suggest removing mention of tallylog around line 403. pam_faillock places its data in /run/faillock. And while you are in this are of the file, you might want to watch btmp.
If the audit records are missing for a time frame, that should be highlighted to the auditor. There are three likely scenarios for a gap.
The system was powered off or suspended
Auditing was turned off by the administrator
The audit log was deleted
If it is possible, the review should highlight that no audits were expected because the system was powered off. Other gaps should be highlighted so that the auditor can investigate further.