RH415 - ch06s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

SectionSection 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Inspecting Audit Logs

In this exercise, you will search for events in your system, create reports for those events, and trace the execution of a command.

Outcomes

You should be able to search for events and generate reports from the audit log and interpret the results.

Verify that the workstation and servera systems are started.

Log in to workstation as student using student as the password. On workstation, run lab audit-inspect setup to verify that the environment is ready.

[student@workstation ~]$ lab audit-inspect setup

Generate a report of all login events on servera.
1. Log in to servera as student. No password is required.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$ 
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# 
```
3. Generate a report of all login events with the aureport command. Use the time stamps to determine the most recent login event from workstation.lab.example.com and take note of the event ID. In the following example it is event 188, but your output might be different.
```
[root@servera ~]# aureport --login

Login Report
============================================
# date time auid host term exe success event
===========================================
...output omitted...
5. 20/07/18 05:27:47 0 workstation.lab.example.com /dev/pts/0 /usr/sbin/sshd yes 188
```

Retrieve more information about the previous event with the ausearch command. Use the -i option to interpret the results to a more human-readable format.

[root@servera ~]# ausearch -i -a 188
...output omitted...
----
node=servera.lab.example.com type=USER_LOGIN msg=audit(31/07/18 05:58:55.418:188) : pid=1903 uid=root auid=student ses=33 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=student exe=/usr/sbin/sshd hostname=workstation.lab.example.com addr=172.25.250.254 terminal=/dev/pts/0 res=success'
----
...output omitted...

Use the aureport --summary command to generate an Executable Summary Report of command executions. Remember that not all commands are logged by default, but rather only commands that trigger audit events, such as su and sudo. The report may look different on your system.

[root@servera ~]# aureport --executable --summary

Executable Summary Report
=================================
total  file
=================================
498  /usr/sbin/crond
311  /usr/lib/systemd/systemd
243  /usr/sbin/sshd
112  /usr/sbin/xtables-multi
20  /usr/bin/kmod
20  /usr/bin/sudo
18  /usr/sbin/ebtables-restore
14  /usr/sbin/groupadd
8  /usr/sbin/useradd
6  /usr/lib/systemd/systemd-update-utmp
2  /usr/bin/passwd

Search for all audit events of the LOGIN type, and export them in CSV format. Store the results in a results.csv file for future use.

[root@servera ~]# ausearch -m LOGIN --format csv > results.csv
[root@servera ~]# cat results.csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,
SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
,LOGIN,06/07/18,01:50:01,131,user-login,1,system,root,priviliged-acct,changed-login-id-to,success,root,,user-session,
,LOGIN,06/07/18,02:00:01,138,user-login,2,system,root,priviliged-acct,changed-login-id-to,success,root,,user-session,
,LOGIN,06/07/18,02:01:01,145,user-login,3,system,root,priviliged-acct,changed-login-id-to,success,root,,user-session,
...output omitted...

Use the audit system to trace the execution of the /bin/ls /tmp command. When done, create a file report for all files opened by the previous command.

[root@servera ~]# autrace /bin/ls /tmp
Waiting to execute: /bin/ls
rht-wks
systemd-private-08f64ec5ec4844079ef98aa1dbf95a3f-chronyd.service-xaEv5k
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1355'

Use the ausearch -i -p 1355 command to review the records.

[root@servera ~]# ausearch -i -p 1355
...output omitted...
node=servera.lab.example.com type=PROCTITLE msg=audit(08/16/2018 04:18:15.506:485) : proctitle=autrace /bin/ls /tmp 
node=servera.lab.example.com type=SYSCALL msg=audit(08/16/2018 04:18:15.506:485) : arch=x86_64 syscall=close success=yes exit=0 a0=0x1 a1=0x7fa8cdcfe000 a2=0x7fa8cd49f858 a3=0x7fffdcefdf50 items=0 ppid=1925 pid=1927 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=16 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
----
node=servera.lab.example.com type=PROCTITLE msg=audit(08/16/2018 04:18:15.506:486) : proctitle=autrace /bin/ls /tmp 
node=servera.lab.example.com type=SYSCALL msg=audit(08/16/2018 04:18:15.506:486) : arch=x86_64 syscall=munmap success=yes exit=0 a0=0x7fa8cdcfe000 a1=0x1000 a2=0x0 a3=0x7fffdcefdf50 items=0 ppid=1925 pid=1927 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=16 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
----
node=servera.lab.example.com type=PROCTITLE msg=audit(08/16/2018 04:18:15.506:487) : proctitle=autrace /bin/ls /tmp 
node=servera.lab.example.com type=SYSCALL msg=audit(08/16/2018 04:18:15.506:487) : arch=x86_64 syscall=close success=yes exit=0 a0=0x2 a1=0x1 a2=0x7fa8cd49f858 a3=0x7fffdcefdf50 items=0 ppid=1925 pid=1927 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=16 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
----
node=servera.lab.example.com type=PROCTITLE msg=audit(08/16/2018 04:18:15.506:488) : proctitle=autrace /bin/ls /tmp 
node=servera.lab.example.com type=SYSCALL msg=audit(08/16/2018 04:18:15.506:488) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0x0 a2=0x0 a3=0xfffffffffffffe80 items=0 ppid=1925 pid=1927 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=16 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Use the ausearch -p 1355 --raw to review the records in the raw format.

[root@servera ~]# ausearch -p 1355 --raw
...output omitted...
node=servera.lab.example.com type=PROCTITLE msg=audit(1534407495.506:485): proctitle=61757472616365002F62696E2F6C73002F746D70
node=servera.lab.example.com type=SYSCALL msg=audit(1534407495.506:486): arch=c000003e syscall=11 success=yes exit=0 a0=7fa8cdcfe000 a1=1000 a2=0 a3=7fffdcefdf50 items=0 ppid=1925 pid=1927 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=munmap AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
node=servera.lab.example.com type=PROCTITLE msg=audit(1534407495.506:486): proctitle=61757472616365002F62696E2F6C73002F746D70
node=servera.lab.example.com type=SYSCALL msg=audit(1534407495.506:487): arch=c000003e syscall=3 success=yes exit=0 a0=2 a1=1 a2=7fa8cd49f858 a3=7fffdcefdf50 items=0 ppid=1925 pid=1927 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=close AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
node=servera.lab.example.com type=PROCTITLE msg=audit(1534407495.506:487): proctitle=61757472616365002F62696E2F6C73002F746D70
node=servera.lab.example.com type=SYSCALL msg=audit(1534407495.506:488): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe80 items=0 ppid=1925 pid=1927 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=exit_group AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
node=servera.lab.example.com type=PROCTITLE msg=audit(1534407495.506:488): proctitle=61757472616365002F62696E2F6C73002F746D70

Use the ausearch -p 1355 --raw|aureport -i file command to create a file report.

[root@servera ~]# ausearch -p 1355 --raw | aureport -i --file

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 08/16/2018 04:30:28 /bin/ls execve yes /usr/bin/ls student 513
2. 08/16/2018 04:30:28 /etc/ld.so.preload access no /usr/bin/ls student 516
3. 08/16/2018 04:30:28 /etc/ld.so.cache open yes /usr/bin/ls student 517
4. 08/16/2018 04:30:28 /lib64/libselinux.so.1 open yes /usr/bin/ls student 521
5. 08/16/2018 04:30:28 /lib64/libcap.so.2 open yes /usr/bin/ls student 529
...output omitted...

Repeat the trace above, but now with the /bin/ls -l /tmp command. Note that the -l option triggers a call to the lstat system call that provides additional detailed information, such as permissions or size. When done, log off from servera.

[root@servera ~]# autrace /bin/ls -l /tmp
Waiting to execute: /bin/ls
total 72
-rwxr-xr-x. 1 root root 57361 Aug 13 08:38 bootstrap.py
-rw-r--r--. 1 root root   126 Aug 13 08:37 rht
-rw-r--r--. 1 root root   450 Aug 13 08:37 rht-vm-hosts
-rw-r--r--. 1 root root   182 Aug 16 02:53 rht-wks
drwx------. 3 root root    17 Aug 16 02:53 systemd-private-b4bd7591032b4e559ac599215de5aa02-chronyd.service-d0Vznl
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1961'
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Cleanup

From workstation, run the lab audit-inspect cleanup script to clean up this exercise.

[student@workstation ~]$ lab audit-inspect cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083