Auditd – Configure for compliance

During our reviews we need to confirm this system audit logs generated and processed properly. Since there are no set requirements, the number and type of records generated is primarily at our discretion based on the control framework used.

an experience auditors Determines whether the generated log classes are sufficient based on the analyzed situation. However, assuming the role of an engineer tasked with configuring auditing on Linux, what configurations need to be enabled in the end?

In this article we will use the very high control Begins, Temporary requirements Then twist into one auditd settings Implement.

We often use a Commonwealth of Independent States CSC V8 as control frame. Chapter 8 devoted to “Managing the audit log” contains Multiple controlsWhich require system audit configuration:

8.2 – Collect audit logs – Collect audit logs. Ensure logging is enabled, in accordance with the enterprise audit log management process, across enterprise assets.

8.5 – Collect detailed audit logs – Create a detailed audit log for enterprise assets that contain sensitive data. Include the event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that can aid in a forensic investigation.

We do have a general idea of ​​what information to collect, however The requirements need further clarification. the Commonwealth of Independent States Control navigator Controls maps to different frameworks. So take a look at what other frameworks require by extending the 8.2 mapping. We scroll down to File PCI v4.0 and discover more granular controls with which we can easily select which ones apply to our use case.

We can do our job now intermediate requirements Creates:

• Audit logs record all actions taken by an individual Unlimited access performed, including interactive use of application or system accounts
• Audit logs capture all invalid logical access attempts
• Audit logs record all accesses to audit logs
• The audit logs record all initializations of new audit logs and any starts, stops, or pauses of existing audit logs
• Audit logs record all changes to meta and authentication data, including but not limited to: creating new accounts; Elevation of Privileges Any changes, additions, or deletions to accounts that have unfettered access
• Audit logs capture all unauthorized attempts to access files
• Audit logs record all changes made to mac-Policies (SELinux)
• Audit logs capture all media usage (USBsticks, external hard drives, etc.)
• Audit logs capture all temporal changes
• Audit logs record all creations and deletions of system level objects
• Make Auditd configuration immutable (requires reboot to change)

This article refers to Commonwealth of Independent States CSC V8 to illustrate the relationship between high-level controls and low-level configuration. You can use the very detailed security controls, for example Commonwealth of Independent States Linux servers Described is easy to implement, but we recommend that you use it only after you configuration effects understand the system.

Now that we know the requirements, we can use a Low level configuration review Complete. the auditdRules specify which events must be checked. The rules are in the file /etc/audit/rules.d/audit.rules are defined.

Using an editor of your choice, add or modify the rules in the file according to your monitoring needs. The syntax of the rules follows the syntax of the command auditctl. For example, to make changes to a file /etc/passwd For monitoring, you can add the following rule:

## /etc/passwd monitor for write/change
-a always,exit -F path=/etc/passwd -F perm=wa -F key=passwd-changes

This rule filters write (w) and attribute (a) changes to the file /etc/passwd and associates it with the passwd_changes key. To configure the rules, read on Auditctl(8) – Linux manual page

Start with a clean base

A good practice is to start with an empty rule base and set some parameters.

## Clean all rules
-D
## Increase buffer to survive stressful situation
-b 8192
## Set failure mode to panic if the system should stop in case of auditd error
## Enable this if the system must not work without a functional audit log
# -f 2

Requirements: Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts

This requires configuring the tool pam_tty_audit. Starting with Unix bam Linux offers bam (Plugable Authentication Modules) Flexible authentication services for applications and system services. The Account, Authentication, Password, and Session components control the authentication functions.

With the option to enable in /etc/pam.d/system-auth And /etc/pam.d/password-auth Can you do that TTYValidate user input. For configuration parameters, see pam_tty_audit (8) – Linux manual page.

This also applies to “audit logs capture all invalid logical access attempts” where valid and invalid actions are checked.

Requirement: Audit logs capture all access to audit logs

monitor auditdComponents provide insight into the audit process, ensure integrity of audit logs, validate configuration, and maintain system integrity.

This includes “audit logs records all initializations for new audit logs and any starts, stops, or pauses for existing audit logs”.

## Access to all audit trails.
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-to-audit-objects
-a always,exit -F path=/usr/sbin/aulast -F perm=x -F key=access-to-audit-objects
-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -F key=access-to-audit-objects
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=access-to-audit-objects
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=access-to-audit-objects
-a always,exit -F path=/usr/sbin/auvirt -F perm=x -F key=access-to-audit-objects

Requirements: Audit logs capture all changes to identification and authentication credentials

Audit logs should record changes to metadata and authentication for security incident investigation, accountability, regulatory compliance, suspicious activity detection, forensic analysis, and incident response.

## Elevation of privileges
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevation-of-privileges
-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevation-of-privileges
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevation-of-privileges
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevation-of-privileges
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevation-of-privileges
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=elevation-of-privileges
## All changes, additions, or deletions to accounts
-a always,exit -F path=/etc/group -F perm=wa -F key=account-change
-a always,exit -F path=/etc/passwd -F perm=wa -F key=account-change
-a always,exit -F path=/etc/gshadow -F perm=wa -F key=account-change
-a always,exit -F path=/etc/shadow -F perm=wa -F key=account-change
-a always,exit -F path=/etc/security/opasswd -F perm=wa -F key=account-change

Requirement: Audit logs capture all unauthorized access attempts to files

Audit logs should record unauthorized access to files to detect and mitigate potential security breaches or unauthorized access to sensitive data.

##- Unauthorized access attempts to files (unsuccessful)
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Requirement: Audit logs capture all media usage

Audit logs must capture data exports to detect and prevent unauthorized or suspicious infiltration of sensitive information from the system.

##- Export to media (successful)
## You have to mount media before using it. You must disable all automounting
## so that its done manually in order to get the correct user requesting the
## export
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export

Requirements: Checking time changes

Security, fraud detection, data integrity, compliance, forensics, incident response, and system health all require monitoring for changes over time.

## Time changes
-a exit,always -S adjtimex -S settimeofday -k time_change

Requirement: Audit logs capture all creation and deletion of system-wide objects

Audit logs should capture changes made to system executables and libraries, tampering with packages, and tampering with kernel modules.

## For Fedora/CentOS/Red-Hat package monitor
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=system-objects
## boot objects
-a always,exit -S all -F dir=/boot -F perm=aw -k system-objects
## System binaries
-a always,exit -S all -F dir=/bin -F perm=aw -k system-objects
-a always,exit -S all -F dir=/sbin -F perm=aw -k system-objects
-a always,exit -S all -F dir=/usr/bin -F perm=aw -k system-objects
-a always,exit -S all -F dir=/usr/local/bin -F perm=aw -k system-objects
-a always,exit -S all -F dir=/usr/local/sbin -F perm=aw -k system-objects
-a always,exit -S all -F dir=/usr/sbin -F perm=aw -k system-objects
## system libraries
-a always,exit -S all -F dir=/lib -F perm=aw -k system-objects
-a always,exit -S all -F dir=/lib64 -F perm=aw -k system-objects
-a always,exit -S all -F dir=/usr/lib -F perm=aw -k system-objects
## configuration files (most common)
-a always,exit -S all -F dir=/etc -F perm=aw -k system-objects
## systemd
-a always,exit -S all -F dir=/usr/lib/systemd/ -F perm=aw -k system-objects
## Kernel modules insert/remove
-w /sbin/insmod -p x -k system-objects
-w /sbin/rmmod -p x -k system-objects
-w /sbin/modprobe -p x -k system-objects
-a always,exit -F arch=b32 -S init_module -S delete_module -k system-objects
-a always,exit -F arch=b64 -S init_module -S delete_module -k system-objects

Requirement: make the configuration static

Auditd must have an immutable configuration to prevent unauthorized changes that could compromise the integrity and reliability of the auditing system.

##Make the configuration immutable, a reboot is required to change the configuration settings or rulesets.
-e 2 

We’ve shown how a simple word inside a control can become a complex configuration file that, given a high-level security framework, can have significant system implications.

In terms of the framework, it is necessary to develop intermediate requirements that can be independently converted into low-level configurations. Since each filter affects system performance, each intermediate requirement should be checked and configured only if it is necessary or if it contributes to increasing the security of the system.

About the author

Leave