RH415 - ch06s07

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

SectionSection 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Enabling Prepackaged Audit Rule Sets

Objectives

After completing this section, students should be able to enable standard Audit rule sets provided with Red Hat Enterprise Linux and identify potentially useful rule sets.

Prepackaged Audit Rule Sets

When you need to implement a practical security policy, you should look at the prepackaged rule sets that ship with the audit package. These rules are available in the /usr/share/doc/audit-*/rules directory as files with the suffix .rules. The /usr/share/doc/audit-*/rules/README-rules file provides some basic background, and the individual rule files contain comments on how they should be used and whether additional rule files should also be loaded.

The names of the rule files each start with a number to help ensure that they are loaded in the correct order. Remember that order is important when loading rules.

Some of the provided rule files include:

30-nispom.rules, which is intended to meet the requirements of the Information System Security chapter of the National Industrial Security Program Operating Manual.
30-pci-dss-v31.rules, which is intended to meet the requirements set by Payment Card Industry Data Security Standard (PCI DSS) v3.1.
30-stig.rules, which is intended to meet the requirements set by US Department of Defense Security Technical Implementation Guides (STIG).

Additional example rule files are also provided. Each rule file contains several individual rules. Only the uncommented rules are enabled for loading and you should not enable all of the rules in the file at the same time. If you do, some of the rules may not match in the way you expected.

Enabling Prepackaged Rule Sets

To use one of these prepackaged rule sets, copy the .rules file or files to the /etc/audit/rules.d directory, and run the augenrules --load command to reload the Audit rules. These example files do not guarantee full compliance as written, but give you a starting point to configure your environment.

After copying one of these default rule sets you need to review the file and follow any instructions to enable or disable certain rules for your environment. For example, the 99-finalize.rules file contains a commented-out control rule to make the rule configuration immutable. You need to enable that for production.

Full Terminal Keystroke Logging

Some auditing policies require that every keystroke a user makes is logged. Audit provides this functionality in conjunction with the pam_tty_audit PAM module. Every keystroke is then recorded in the audit log (/var/log/audit/audit.log).

To enable keystroke logging, you have to add the pam_tty_audit module to the /etc/pam.d/system-auth and the /etc/pam.d/password-auth files, so all daemons started by the system that implement some form of terminal functionality have their keystrokes logged as well, unless explicitly disabled in their PAM configuration.

Note

The pam_tty_audit.so module only implements session functionality. Adding the module to any other section in PAM prevents any user from logging in at all.

The pam_tty_audit module takes either the enable or the disable options. Both options take as arguments a comma-separated list of patterns for user names to enable and disable, respectively. The following example enables keystroke logging for the demo user, and disables it for all other users.

[root@demo ~]# vi /etc/pam.d/system-auth
...output omitted...
session required pam_tty_audit.so disable=* enable=demo
...output omitted...
[root@demo ~]# vi /etc/pam.d/password-auth
...output omitted...
session required pam_tty_audit.so disable=* enable=demo
...output omitted...

If both an enable= pattern and a disable= pattern match a user, the last one on the command line applies.

To convert the data logged in the Audit system to a more readable format, you can use the aureport --tty command.

Important

Keystroke logging may require a large amount of storage on the system. You should consider this before enabling this functionality.

In addition, there may be certain legal restrictions or requirements on the use of keystroke logging in your location or the location of your data centers and users. You should discuss these questions with your legal counsel before implementing keystroke logging.

References

pam_tty_audit(8) man page

For more information, refer to the System Auditing chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-system_auditing

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083