RH415 - ch07s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

SectionSection 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Investigating File System Changes with AIDE

Objectives

After completing this section, students should be able to investigate causes of file system changes reported by AIDE by using Linux Audit tools.

Combining AIDE and Audit

AIDE is a useful tool that you can use to detect changes on a computer's file systems. It reports to administrators about specific changes. One of its limitations, however, is that it does not tell you what caused the changes.

For example, you can configure AIDE to report changes to /etc/passwd and /etc/shadow, but that does not produce details such as who made the changes, at what time, using which tool. This is where Audit rules can help you to get the details that you need about what happened.

The Linux Audit system can monitor files for activity that might cause a change, and log a lot of useful information about the time of the activity and the process and user involved. The Audit system logs these changes, but it is not as simple to set it up to report on key events by itself.

The combination of AIDE and Audit can be a useful way to solve this problem. By configuring both systems to monitor key files and directories, you can use AIDE to report periodically on unexpected changes that have been made to your systems. Then you can look at the audit log since the last AIDE report before the change to help identify what activity might be responsible.

Note

One limitation of this approach is that AIDE does not notify you in real time that there has been a change. It only detects changes when a check is run. If you are checking for changes to the contents of files, an AIDE check can be expensive in terms of system resources, so setting the frequency of AIDE checks too high can cause a lot of load on the system in CPU time and disk I/O.

Likewise, large amounts of audit logging, especially using system call rules, can have an impact on system performance.

Configuring AIDE and Audit

For this approach to be effective, you need to configure both AIDE and Audit to monitor the same files. Audit records activity affecting a file; AIDE detects and reports that there has been a change to a file. This means that you have to set up the AIDE database and watch rules on files in advance to collect the relevant information for detection and investigation.

Start by making sure that AIDE is properly configured. Edit the /etc/aide.conf file to configure AIDE to monitor the correct files, initialize the AIDE database, and set up the cron job to periodically run AIDE checks and send the report to the system administrators.

For example, what if you want to monitor all the files in /usr and its subdirectories for changes? You could use the default settings in /etc/aide.conf that set a regular selection line to monitor all the files in /usr for changes to content, permissions, and ownerships:

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
...output omitted...
/usr/    CONTENT_EX

You also need to set an audit rule to monitor the /usr directory recursively for attempts to write files or change permissions. The easiest way to do this is to set a file system rule in a .rules file in /etc/audit/rules.d.

The following example shows a minimal rule to set a watch for changes to the /usr directory:

-w /usr -p wa -k usr-modification

Important

If you do not need to collect information for auditing purposes, you probably should avoid doing so. This reduces "noise" in the logs, the size of the logs, and may improve performance, depending on the structure of your rules.

Notice that we are not setting -p rwxa in the example watch above. This would create a log entry every time something opened a file in /usr to read or execute it. That would occur very often and the information is less relevant for this analysis. It is possible that additional information would make your analysis simpler, and you might care about that information for other reasons. It could also make it harder for you to find the relevant event. You should carefully consider the trade-offs of what and how much information you log.

Investigating File System Changes

Now you can search for audit events that are relevant to AIDE reports. For example, if AIDE is reporting that the /etc/group file has unexpectedly changed, you can use the following ausearch command to look for relevant audit logs:

[root@demo]# ausearch -i -f /etc/group

Use the -f option to select events relevant to the file that you are investigating. Use the -i option to help interpret the audit event, converting numbers to more human-readable names.

Note

In some cases you might want to omit -i to see the uninterpreted audit log. For example, if there is a misconfiguration where multiple UID numbers map to the same user name, the raw log may be useful.

To further narrow down the output of the audit search to events of interest, you can use the -ts option to search for events since the date and time of the last AIDE report that did not report a change.

[root@demo]# ausearch -i -f /etc/group -ts "08/07/2018" "09:00:00"

Depending on the audit rules you have set, you may have quite a few audit events to look through. Next, you need to determine which of those events are actually involved in the change.

Interpreting Audit Events

You need to review the audit events that ausearch finds to determine what happened. There may be multiple audit events involved in sequence. If you are logging other activity on the files involved, there may be irrelevant events in the log that are not involved in whatever changed that file. Alternatively, there may be events prior to the actual change that were triggered by the same command that actually made the change.

For this reason, you need to carefully look at the audit events in order to understand what happened. Frequently, the event logged was a system call to the kernel. It helps if you understand what arguments the system call takes so that you can better interpret the SYSCALL audit record in the event to determine if it is relevant. This is often documented in man pages in section 2 of the system manual. Pay attention to the other records for the event, because they usually include useful information.

To illustrate this, look at two different audit events involving /etc/group. Assume that an AIDE report states that the modification time and contents of the /etc/group file have changed.

One audit event looks like this:

type=PROCTITLE msg=audit(08/13/2018 22:45:30.698:2432) : proctitle=touch /etc/group
type=PATH msg=audit(08/13/2018 22:45:30.698:2432) : item=1 name=/etc/group inode=33593020 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=PATH msg=audit(08/13/2018 22:45:30.698:2432) : item=0 name=/etc/ inode=33554497 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(08/13/2018 22:45:30.698:2432) :  cwd=/home/student
type=SYSCALL msg=audit(08/13/2018 22:45:30.698:2432) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7ffc044cb6c3 a1=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a2=0666 a3=0x7ffc044c94e0 items=2 ppid=2328 pid=32015 auid=student uid=student gid=student euid=student suid=student fsuid=student egid=student sgid=student fsgid=student tty=pts1 ses=4 comm=touch exe=/usr/bin/touch subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=group_watch

The SYSCALL record indicates that this is an attempt to open a file in write mode: syscall=open and a1=O_WRONLY. One of the PATH records indicates that /etc/group is involved. The PROCTITLE record suggests that this was a touch /etc/group command, which should update the modification time, but it should not affect file contents. The metadata update would still require write access to the file's inode.

However, look carefully at the SYSCALL record again. This call failed: success=no and exit=EACCES(Permission denied). This is not the right audit event.

Here is a second audit event:

type=PROCTITLE msg=audit(08/13/2018 22:40:54.899:2429) : proctitle=vigr
type=PATH msg=audit(08/13/2018 22:40:54.899:2429) : item=4 name=/etc/group inode=33593020 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=CREATE
type=PATH msg=audit(08/13/2018 22:40:54.899:2429) : item=3 name=/etc/group inode=33578559 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE
type=PATH msg=audit(08/13/2018 22:40:54.899:2429) : item=2 name=/etc/group.edit inode=33593020 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE
type=PATH msg=audit(08/13/2018 22:40:54.899:2429) : item=1 name=/etc/ inode=33554497 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(08/13/2018 22:40:54.899:2429) : item=0 name=/etc/ inode=33554497 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(08/13/2018 22:40:54.899:2429) :  cwd=/root
type=SYSCALL msg=audit(08/13/2018 22:40:54.899:2429) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffc89437360 a1=0x55fc040a7100 a2=0x0 a3=0x65726373662f7274 items=5 ppid=2633 pid=32003 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=vigr exe=/usr/sbin/vipw subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=group_watch

There is a PROCTITLE record, five PATH records, a CWD record, and a SYSCALL record.

The SYSCALL record shows this was a rename(2) operation that was successful (success=yes). That means a file was renamed.

Look at the PATH records, paying close attention to the inode numbers and the objtype fields. It looks like inode 33593020 has two records: item=2 and item=4. It had the name /etc/group.edit in item 2 but that was deleted. It was created with the name /etc/group in item 4. That looks like it was the file that was renamed. In addition, inode 33578559 had the name /etc/group and was deleted. That must be the original /etc/group file being overwritten.

Looking at the SYSCALL record again, this was done by root (uid=root). But, the user originally logged in as student (auid=student) and has since changed their real UID somehow. The command used was vigr, which actually executed /usr/sbin/vipw. (If you look, /usr/sbin/vigr turns out to be a symlink to vipw). The command was run from terminal pts/1 (tty=pts1), which is a pseudoterminal; most likely a remote login session or graphical terminal window. This is all useful data for further investigation.

Important

This event certainly changed the contents, modification time, and inode belonging to /etc/group, so this is an event of interest. Remember, there may be more than one event of interest in the time frame. You should investigate any events that ausearch helps you find.

Some record types that you might see when determining the cause of a file change are listed in the following table.

Table 7.1. Common Audit Record Types

Record Type	Description
CWD	The current working directory relevant to this event.
PATH	Information about the path to a file involved in this event. Watch in particular for its `objtype` field, which records why this record is involved in an event including a `SYSCALL` record. There may be multiple `PATH` records in the same event, for files that are involved for different reasons.
PROCTITLE	The complete command line that triggered this event.
SYSCALL	The system call made to the kernel that triggered this event. Particular system calls are likely to be involved in a file change event, such as `open`(), `fchmod`(), and `setxattr`(). This record is also the one that will most likely have the most information about which user and process is involved in the operation.

Note

See "Audit Record Types" in the Red Hat Enterprise Linux 7 Security Guide for information on other audit record types you might encounter.

The following table lists some useful fields that you might see in an audit record.

Table 7.2. Audit Record Fields

Field	Description
a0	First argument of the system call.
a1	Second argument of the system call. This is particularly relevant with the `open`(2) system call on x86_64 because it records the access mode being used to open the file. `O_WRONLY` or `O_RDWR` mode indicates that the system call is trying to open the file in a writable mode.
a2	Third argument of the system call.
a3	Fourth argument of the system call.
auid	The Audit UID. This is the user ID that was used to log in to the system initially. It stays the same even after the user uses su or some other command to change their real UID.
cwd	The current working directory relevant to this event.
euid	The effective UID. This is the user ID that the process has for permission checks. For example, an executable that is set-UID `root` and run by a regular user has an effective UID of `root` unless it drops privileges.
egid	The effective GID. This is the group ID that the process has for permission checks.
proctitle	The process title. It shows the full command line along with the arguments of the executed command. This is encoded in hexadecimal notation. Use `-i` option of ausearch to decode it.
syscall	The system call sent to the kernel.
success	Shows whether the system call was successful.
tty	The terminal or pseudoterminal controlling the process. If the command was run as part of an interactive session and the user had several in progress, this can be used to help identify which session was used to run the command.
uid	The real UID. The user ID that started the process. This might not be the same as the initial login ID of the user. For example, a user might use su to switch from one user to another, changing their real UID. Likewise, if the process was started by a set-UID or set-GID executable, the effective UID or GID of the process may be different.

Note

See "Audit Event Fields" in the Red Hat Enterprise Linux 7 Security Guide for information on other audit event fields you might encounter.

References

auditctl(8), ausearch(8), audit.rules(7) and auditd.conf(5) man pages

For general information on the Audit system, see the Defining Audit Rules section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/sec-defining_audit_rules_and_controls#sec-Defining_Audit_Rules_and_Controls

For more information on the different audit event fields that are available, see the Audit Event Fields section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/sec-defining_audit_rules_and_controls#sec-Audit_Events_Fields

For documentation of all audit record types that currently exist, see the Audit Record Types section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/sec-defining_audit_rules_and_controls#sec-Audit_Record_Types

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c