RH415 - ch06s06

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

SectionSection 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Writing Custom Audit Rules

In this exercise, you will write your own audit rules to configure the system to collect information about particular events.

Outcomes

You should be able to write custom audit rules.

Verify that the workstation and servera systems are started.

Log in to workstation as student using student as the password. On workstation, run lab audit-custom setup to verify that the environment is ready.

[student@workstation ~]$ lab audit-custom setup

On servera, add a temporary audit rule that logs every write or attribute change to any file in the /etc directory. Add the config-change key to all log messages.

[student@workstation ~]$ ssh student@servera
[student@servera ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# 
```
Use the auditctl command to add a temporary audit rule that logs every write or attribute change to any file in the /etc directory. Add the config-change key to all log messages.
```
[root@servera ~]# auditctl -w /etc/ -p wa -k config-change
```

Create an empty file called /etc/sysconfig/testfile. When done, check your audit logs for all of today's entries with the config-change key.

[root@servera ~]# touch /etc/sysconfig/testfile
[root@servera ~]# ausearch --start today -k config-change
...output omitted...
node=servera.lab.example.com type=PATH msg=audit(1533031842.107:970): item=1 name="/etc/sysconfig/testfile" inode=8409786 dev=fc:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
node=servera.lab.example.com type=PATH msg=audit(1533031842.107:970): item=0 name="/etc/sysconfig/" inode=8409953 dev=fc:11 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
node=servera.lab.example.com type=CWD msg=audit(1533031842.107:970):  cwd="/root"
node=servera.lab.example.com type=SYSCALL msg=audit(1533031842.107:970): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd20632713 a1=941 a2=1b6 a3=7ffd20631a90 items=2 ppid=2153 pid=2187 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=38 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="config-change"
...output omitted...

Add a temporary audit rule that logs any execution of a file in the /bin/ directory by a user with an Audit UID of 500 or higher, and an Effective UID of 0. Use the privileged-execution key.
1. Add a temporary audit rule that logs any execution of a file in the /bin/ directory by a user with an Audit UID of 500 or higher, and an Effective UID of 0. Log these audit messages with the privileged-execution key.
```
[root@servera ~]# auditctl -w /bin/ -p x -F "auid>=500" -F "euid=0" \
> -k privileged-execution
```
2. Execute /bin/true. When done, run an audit search on all of this week's entries with the key privileged-execution.
```
[root@servera ~]# /bin/true
[root@servera ~]# ausearch --start this-week -i \
> -k privileged-execution
----
node=servera.lab.example.com type=CONFIG_CHANGE msg=audit(31/07/18 06:12:03.868:971) : auid=student ses=38 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=privileged-execution list=exit res=yes
```

Persistently add an audit rule to your system that audits all system calls for all users with an Audit UID of 500 or higher. Ensure you specify the rule for both the b32 and b64 system architectures. Give these rules an identifier key of delete. Make sure to exclude auid=4294967295 from these rules.

unlink
unlinkat
rename
renameat

Add the following two lines to /etc/audit/rules.d/audit.rules:

-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Restart the auditd service to activate your changes.
```
[root@servera ~]# service auditd restart
```

As student, create and then immediately delete an empty file called /tmp/testfile.

[root@servera ~]# logout
[student@servera ~]$ touch /tmp/testfile; rm /tmp/testfile

As root, search for all audit messages with the key delete and the path name /tmp/testfile for this year. When done, log off from servera

[student@servera ~]$ sudo -i
[root@servera ~]# ausearch --start this-year -i -k delete \
> -f /tmp/testfile
----
node=servera.lab.example.com type=PROCTITLE msg=audit(31/07/18 06:14:54.105:990) : proctitle=rm /tmp/testfile
node=servera.lab.example.com type=PATH msg=audit(31/07/18 06:14:54.105:990) : item=1 name=/tmp/testfile inode=79926 dev=fc:11 mode=file,664 ouid=student ogid=student rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
node=servera.lab.example.com type=PATH msg=audit(31/07/18 06:14:54.105:990) : item=0 name=/tmp/ inode=82 dev=fc:11 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
node=servera.lab.example.com type=CWD msg=audit(31/07/18 06:14:54.105:990) :  cwd=/home/student
node=servera.lab.example.com type=SYSCALL msg=audit(31/07/18 06:14:54.105:990) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0x1fb2ff0 a2=0x0 a3=0x7ffdcc070c30 items=2 ppid=2108 pid=2252 auid=student uid=student gid=student euid=student suid=student fsuid=student egid=student sgid=student fsgid=student tty=pts1 ses=38 comm=rm exe=/usr/bin/rm subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=delete
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Cleanup

On workstation, run the lab audit-custom cleanup script to clean up this exercise.

[student@workstation ~]$ lab audit-custom cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c