RH342 - ch02s08

Bookmark this page

Guided Exercise: Configuring Change Tracking

Configure and perform system auditing with the Linux audit system. In this exercise, you configure and perform system auditing with the Linux audit system.

Outcomes

You should be able to detect changes to the content and attributes of files and directories on a file system.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start baseline-changetracking

Instructions

[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Configure AIDE to monitor file integrity.

Initialize the AIDE database.

[root@servera ~]# aide -i
Start timestamp: 2021-09-14 22:00:07 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : LLSaHUKYsWzCDA94nbLurQ==
  SHA1     : mv+HidAoRw+kp1NC2vLgapVKdJg=
  RMD160   : CzX5WCHz8L5UXb4Amzx5CJvtzsw=
  TIGER    : 1T8DFsev/GgTMj/gY8MExRvLJVvGoWXT
  SHA256   : reYx+xOuZyataCNPvgskaLfuOGA1rLOG
             dKEpxfQybL0=
  SHA512   : xlxRXa1reUuGVhP1QxVUoVvtBULc2skU
             tpNI5imXj/XeIF8LwJbAop8CF/JTi7SE
             mAnwzY2919NeaialwaoUTg==


End timestamp: 2021-09-14 22:00:07 -0400 (run time: 0m 0s)

Remove the new substring from the initial database name to enable it for the aide command to use.
```
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
```

View the /etc/aide.conf file to learn the default monitored files and rules.

[root@servera ~]# cat /etc/aide.conf
...output omitted...
# Custom Rules
# Extended content + file type + access.
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs

# trusted databases
/etc/hosts$      CONTENT_EX
/etc/issue$      CONTENT_EX
/etc/passwd$     CONTENT_EX
/etc/group$      CONTENT_EX
/etc/shadow$     CONTENT_EX

Generate a file integrity report for the default monitored files and verify that the report is present in the logs.

Generate the file integrity report.

[root@servera ~]# aide --check
Start timestamp: 2021-09-14 22:10:19 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : LLSaHUKYsWzCDA94nbLurQ==
  SHA1     : mv+HidAoRw+kp1NC2vLgapVKdJg=
  RMD160   : CzX5WCHz8L5UXb4Amzx5CJvtzsw=
  TIGER    : 1T8DFsev/GgTMj/gY8MExRvLJVvGoWXT
  SHA256   : reYx+xOuZyataCNPvgskaLfuOGA1rLOG
             dKEpxfQybL0=
  SHA512   : xlxRXa1reUuGVhP1QxVUoVvtBULc2skU
             tpNI5imXj/XeIF8LwJbAop8CF/JTi7SE
             mAnwzY2919NeaialwaoUTg==


End timestamp: 2021-09-14 22:10:19 -0400 (run time: 0m 0s)

Verify that the file integrity report is recorded in the log file.

[root@servera ~]# cat /var/log/aide/aide.log
Start timestamp: 2021-09-14 22:10:19 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : LLSaHUKYsWzCDA94nbLurQ==
  SHA1     : mv+HidAoRw+kp1NC2vLgapVKdJg=
  RMD160   : CzX5WCHz8L5UXb4Amzx5CJvtzsw=
  TIGER    : 1T8DFsev/GgTMj/gY8MExRvLJVvGoWXT
  SHA256   : reYx+xOuZyataCNPvgskaLfuOGA1rLOG
             dKEpxfQybL0=
  SHA512   : xlxRXa1reUuGVhP1QxVUoVvtBULc2skU
             tpNI5imXj/XeIF8LwJbAop8CF/JTi7SE
             mAnwzY2919NeaialwaoUTg==


End timestamp: 2021-09-14 22:10:19 -0400 (run time: 0m 0s)

Create a script to send an email alert whenever a change in the monitored files is found.

[root@servera ~]# vim /root/aide_mon.sh
if ! grep "Looks okay" /var/log/aide/aide.log &>/dev/null
then
	cat /var/log/aide/aide.log | /usr/bin/mail -s "AIDE Alert" \
 student@servera.lab.example.com
fi

Make the script executable.

[root@servera ~]# chmod +x /root/aide_mon.sh

Schedule the AIDE execution for every two minutes. Create the /etc/cron.d/aide file and add the following lines:

[root@servera ~]# vim /etc/cron.d/aide
# AIDE Checks and alert
*/2 * * * * root /sbin/aide --check && /root/aide_mon.sh

Verify that the integrity report is recorded in the log file. Check that no differences exist between the database and the file system.

[root@servera ~]# cat /var/log/aide/aide.log
Start timestamp: 2021-09-14 22:18:01 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : LLSaHUKYsWzCDA94nbLurQ==
  SHA1     : mv+HidAoRw+kp1NC2vLgapVKdJg=
  RMD160   : CzX5WCHz8L5UXb4Amzx5CJvtzsw=
  TIGER    : 1T8DFsev/GgTMj/gY8MExRvLJVvGoWXT
  SHA256   : reYx+xOuZyataCNPvgskaLfuOGA1rLOG
             dKEpxfQybL0=
  SHA512   : xlxRXa1reUuGVhP1QxVUoVvtBULc2skU
             tpNI5imXj/XeIF8LwJbAop8CF/JTi7SE
             mAnwzY2919NeaialwaoUTg==


End timestamp: 2021-09-14 22:18:01 -0400 (run time: 0m 0s)

Add a user, which causes a change in the systems account database, which is a monitored file. This action generates an inconsistency in file integrity.
```
[root@servera ~]# useradd user01
```

As the student user on the servera machine, verify that an AIDE alert email is received. The first email might take up to five minutes to arrive. The complete log report might not finish processing until the second email is received. Optionally, you could monitor the email activity that is sent to the student user.

Note

Log in to the servera machine in a separate terminal. Use the journalctl command to monitor the email that is sent to the student user.

[root@servera ~]# journalctl -f -u postfix --since today

Switch to the student user on the servera machine to check for AIDE alert emails.
```
[root@servera ~]# exit
[student@servera ~]$
```

Check the email.

[student@servera ~]$ mail
Heirloom Mail version 12.5 7/5/10.  Type ? for help.
"/var/spool/mail/student": 1 message 1 new
>N  1 root                  Tue Sep 14 22:54  62/2250  "AIDE Alert"

Read the most recent email.

& 1
Message  1:
From root@servera.lab.example.com  Tue Sep 14 22:54:22 2021
Return-Path: <root@servera.lab.example.com>
From: root <root@servera.lab.example.com>
Date: Tue, 14 Sep 2021 22:54:01 -0400
To: student@servera.lab.example.com
Subject: AIDE Alert
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
Status: R

Start timestamp: 2021-09-14 22:52:01 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	5
  Added entries:		0
  Removed entries:		0
  Changed entries:		3

---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...    .C... : /etc/group
f   ...    .C... : /etc/passwd
f   ...    .C... : /etc/shadow

...output omitted...

Quit the mail interactive interface.

& q
...output omitted...
[student@servera ~]$

Switch to the root user on the servera machine. Update the AIDE database to add the recent file changes. Back up the AIDE database. Remove the new substring from the updated database name to enable it for the aide command to use.
1. Switch to the root user.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#
```
2. Update the database.
```
[root@servera ~]# aide --update
```
3. Back up the current database.
```
[root@servera ~]# mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.old.gz
```
4. Enable the new database for the aide command to use.
```
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
```

Generate an integrity report of the monitored files.

[root@servera ~]# aide --check
Start timestamp: 2021-09-14 23:23:06 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : /tJ6rCYNS+gHPpAqP+cdFQ==
  SHA1     : v0sEePAdH6VbXAFPuGrrVG+tQNM=
  RMD160   : UDvr4Gvti4Layc8imAlHhAgZIWo=
  TIGER    : VCSYuYBw98r81861ipOiVVE37mdp03g1
  SHA256   : 9wyBh7irOdLWeacsPHKRHYPLYKbtOzND
             42xuIn4/I3w=
  SHA512   : nw8mnWzPdlodiPVHtgcPOH1jcrDuVnXg
             wt9zFVBrAr8nFURYEnm12QFt7snGn03n
             mx7M8Dj5RBydOMetEyoSaA==


End timestamp: 2021-09-14 23:23:06 -0400 (run time: 0m 0s)

Switch to the student user on the servera machine. Verify that an alert email is no longer sent to the student user. Verify that the integrity report is recorded in the log file.

Return to the student user.

[root@servera ~]# exit
[student@servera ~]$

Check email to confirm that no new alerts are present.
The total number of messages varies. If the database is correctly updated, then no new messages are present.
```
[student@servera ~]$ mail
>N 12 root                  Tue Sep 14 23:22  21/970   "AIDE Alert"
```

Use the sudo cat command to view the log file to verify that no differences are found between the database and file system.

[student@servera ~]$ sudo cat /var/log/aide/aide.log
Start timestamp: 2021-09-14 23:26:01 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : /tJ6rCYNS+gHPpAqP+cdFQ==
  SHA1     : v0sEePAdH6VbXAFPuGrrVG+tQNM=
  RMD160   : UDvr4Gvti4Layc8imAlHhAgZIWo=
  TIGER    : VCSYuYBw98r81861ipOiVVE37mdp03g1
  SHA256   : 9wyBh7irOdLWeacsPHKRHYPLYKbtOzND
             42xuIn4/I3w=
  SHA512   : nw8mnWzPdlodiPVHtgcPOH1jcrDuVnXg
             wt9zFVBrAr8nFURYEnm12QFt7snGn03n
             mx7M8Dj5RBydOMetEyoSaA==


End timestamp: 2021-09-14 23:26:01 -0400 (run time: 0m 0s)

Return to workstation as student.

[student@servera ~]$ exit
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish baseline-changetracking

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment