RH415 - ch06s09

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

SectionSection 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Recording System Events with Audit

Performance Checklist

In this lab, you will configure remote Audit logs, enable prepackaged STIG Audit rules, and audit TTY.

Outcomes

You should be able to:

Configure remote Audit logs.
Enable prepackaged Audit rules.
Enable auditing of TTY.

Verify that the workstation, servera, and serverb systems are started.

Log in to workstation as student using student as the password. On workstation, run lab audit-review setup to verify that the environment is ready.

[student@workstation ~]$ lab audit-review setup

Configure the Audit service on servera to send audit messages to the Audit service on serverb.
Log in to servera as student. No password is required.
[student@workstation ~]$ ssh student@servera [student@servera ~]$
Use the sudo -i command to switch identity to the root user. Use student as the password.
[student@servera ~]$ sudo -i [sudo] password for student: student [root@servera ~]#
Install the audispd-plugins package.
[root@servera ~]# yum -y install audispd-plugins
In the /etc/audisp/plugins.d/au-remote.conf file, set the value for the active variable to yes to enable remote logging.
[root@servera ~]# vi /etc/audisp/plugins.d/au-remote.conf ...output omitted... active = yes ...output omitted...
In the /etc/audisp/audisp-remote.conf file, set the remote_server variable to the IP address of the remote logging server in our environment, serverb.lab.example.com. Also, set the port to be used in the remote logging server, 60 by default.
[root@servera ~]# vi /etc/audisp/audisp-remote.conf ...output omitted... remote_server = 172.25.250.11 port = 60 ...output omitted...
Restart the auditd service to update its configuration. When done, log off from servera.
[root@servera ~]# service auditd restart [root@servera ~]# logout [student@servera ~]$ logout [student@workstation ~]$
Configure the Audit service on serverb to accept the audit messages from the Audit service on servera.
Log in to serverb as student. No password is required.
[student@workstation ~]$ ssh student@serverb [student@serverb ~]$
Use the sudo -i command to switch identity to the root user. Use student as the password.
[student@serverb ~]$ sudo -i [sudo] password for student: student [root@serverb ~]#
In the /etc/audit/auditd.conf file, uncomment the tcp_listen_port variable, and set its value to 60 so that the Audit service listens on TCP port 60.
[root@serverb ~]# vi /etc/audit/auditd.conf ...output omitted... tcp_listen_port = 60 ...output omitted...
Open TCP port 60 to enable access to the Audit server.
[root@serverb ~]# firewall-cmd --zone=public --add-port=60/tcp \ > --permanent success [root@serverb ~]# firewall-cmd --reload success
Restart the auditd service to update its configuration. When done, log off from serverb.
[root@serverb ~]# service auditd restart [root@serverb ~]# logout [student@serverb ~]$ logout [student@workstation ~]$

[student@workstation ~]$ ssh student@servera
[student@servera ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password. When done, log off from servera.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

[student@workstation ~]$ ssh student@serverb
[student@serverb ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]# 
```

Verify that new entry in the Audit log file exists for the message created on servera. When done, log off from serverb.

[root@serverb ~]$ grep servera /var/log/audit/audit.log
...output omitted...
node=servera.lab.example.com type=CRYPTO_KEY_USER msg=audit(1532102732.526:419): pid=2378 uid=0 auid=0 ses=28 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:67:d3:(...):87:9f direction=? spid=2378 suid=0  exe="/usr/sbin/sshd" hostname=servera.lab.example.com addr=? terminal=pts/1 res=success' UID="root" AUID="root" SUID="root"
node=servera.lab.example.com type=CRYPTO_KEY_USER msg=audit(1532102732.526:420): pid=2378 uid=0 auid=0 ses=28 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:04:c7:(...):1d:12 direction=? spid=2378 suid=0  exe="/usr/sbin/sshd" hostname=servera.lab.example.com addr=? terminal=pts/1 res=success' UID="root" AUID="root" SUID="root"
node=servera.lab.example.com type=CRYPTO_KEY_USER msg=audit(1532102732.526:421): pid=2378 uid=0 auid=0 ses=28 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f6:bd:(...):12:82 direction=? spid=2378 suid=0  exe="/usr/sbin/sshd" hostname=servera.lab.example.com addr=? terminal=pts/1 res=success' UID="root" AUID="root" SUID="root"
...output omitted...
[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$

Enable the prepackaged STIG Audit rules on servera.
Log in to servera as student. No password is required.
[student@workstation ~]$ ssh student@servera [student@servera ~]$
Use the sudo -i command to switch identity to the root user. Use student as the password.
[student@servera ~]$ sudo -i [sudo] password for student: student [root@servera ~]#
Copy the /usr/share/doc/audit-2.8.1/rules/30-stig.rules file with the STIG Audit rules into the /etc/audit/rules.d/ directory.
[root@servera ~]# cp /usr/share/doc/audit-2.8.1/rules/30-stig.rules \ > /etc/audit/rules.d/
Load the STIG Audit rules with the augenrules --load command.
[root@servera ~]# augenrules --load ...output omitted...

On servera server create a new user called testuser to verify that the STIG Audit rules are working correctly.

Verify the STIG Audit rules that use the identity key.

[root@servera ~]# grep identity /etc/audit/rules.d/30-stig.rules
## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

Create a user called testuser to test the previous STIG Audit rules. The creation of a new user modifies the files associated with the rules that use the identity key, for example /etc/passwd, and triggers those STIG Audit rules.
```
[root@servera ~]# useradd testuser
```

Search the Audit log for the identity key to verify that the previous STIG Audit rules are active.

[root@servera ~]# ausearch -k identity
...output omitted...
time->Thu Jul 26 06:13:00 2018
node=servera.lab.example.com type=CONFIG_CHANGE msg=audit(1532599980.002:3490): auid=0 ses=12 op=updated_rules path="/etc/passwd" key="identity" list=4 res=1
----
...output omitted...
node=servera.lab.example.com type=SYSCALL msg=audit(1532599980.002:3491): arch=c000003e syscall=82 success=yes exit=0 a0=7fff50bdda70 a1=5596e239ece0 a2=7fff50bdd9e0 a3=5596e360bde0 items=5 ppid=1663 pid=1791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=12 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"
----
time->Thu Jul 26 06:13:00 2018
node=servera.lab.example.com type=CONFIG_CHANGE msg=audit(1532599980.004:3492): auid=0 ses=12 op=updated_rules path="/etc/shadow" key="identity" list=4 res=1
----
...output omitted...
node=servera.lab.example.com type=SYSCALL msg=audit(1532599980.004:3493): arch=c000003e syscall=82 success=yes exit=0 a0=7fff50bdda70 a1=5596e239f620 a2=7fff50bdd9e0 a3=757431612f4d4875 items=5 ppid=1663 pid=1791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=12 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"
----
time->Thu Jul 26 06:13:00 2018
node=servera.lab.example.com type=CONFIG_CHANGE msg=audit(1532599980.005:3494): auid=0 ses=12 op=updated_rules path="/etc/group" key="identity" list=4 res=1
----
...output omitted...
node=servera.lab.example.com type=SYSCALL msg=audit(1532599980.005:3495): arch=c000003e syscall=82 success=yes exit=0 a0=7fff50bdda70 a1=5596e239e840 a2=7fff50bdd9e0 a3=22 items=5 ppid=1663 pid=1791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=12 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"
----
time->Thu Jul 26 06:13:00 2018
node=servera.lab.example.com type=CONFIG_CHANGE msg=audit(1532599980.007:3496): auid=0 ses=12 op=updated_rules path="/etc/gshadow" key="identity" list=4 res=1
----
...output omitted...
node=servera.lab.example.com type=SYSCALL msg=audit(1532599980.007:3497): arch=c000003e syscall=82 success=yes exit=0 a0=7fff50bdda70 a1=5596e239f180 a2=7fff50bdd9e0 a3=2 items=5 ppid=1663 pid=1791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=12 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"
----
...output omitted...

Configure the pam_tty_audit PAM module to enable auditing of TTY for the student user on servera.

Edit the /etc/pam.d/system-auth and the /etc/pam.d/password-auth files to enable the auditing of TTY for the student user with the pam_tty_audit PAM module.

[root@servera ~]# vi /etc/pam.d/system-auth
...output omitted...
session    required     pam_tty_audit.so disable=* enable=student
[root@servera ~]# vi /etc/pam.d/password-auth
...output omitted...
session    required     pam_tty_audit.so disable=* enable=student

Log in to servera as student and run the ls /tmp command to test that auditing of TTY is working. When done, log in to servera as root.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$ ls /tmp
...output omitted...
[student@servera ~]$ logout
[student@workstation ~]$ ssh root@servera
```
Note
Type these commands in full; do not use tab completion. This ensures that you correctly log the keystrokes for the ls /tmp and the logout commands.

Verify the Audit logs for the previous commands with the aureport --tty command. When done, log off from servera.

[root@servera ~]# aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
...output omitted...
2. 26/07/18 06:36:58 3750 1000 ? 22 bash "ls /tmp",<ret>,"logout",<ret>
[root@servera ~]# logout
[student@workstation ~]$

Evaluation

On workstation, run the lab audit-review grade command to confirm success of this exercise.

[student@workstation ~]$ lab audit-review grade

Cleanup

On workstation, run the lab audit-review cleanup script to clean up this exercise.

[student@workstation ~]$ lab audit-review cleanup

This concludes the lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Lab: Recording System Events with Audit

Note