RH415 - ch07s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

SectionSection 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Investigating File System Changes with AIDE

In this exercise, you will use AIDE and Audit to detect changes on a file system and use Audit tools to identify the cause of those changes.

Outcomes

You should be able to:

Monitor /etc/passwd and /etc/shadow files with AIDE.
Set Linux Audit rules to monitor the same files.
Make changes to the files and use Audit tools to show that you have a record of what user and process made the changes.

Verify that the workstation and servera systems are started.

Log in to workstation as student using student as the password. On workstation, run the lab aide-investigate setup command to prepare the classroom environment for the guided exercise. This command:

Ensures that aide is installed and has a clean database directory.
Ensures that the auditd service is installed, enabled, and running.
Backs up the original Audit rules file and ensures that there are no Audit rules in effect.

[student@workstation ~]$ lab aide-investigate setup

From workstation, log in to servera as student. No password is required.

[student@workstation ~]$ ssh student@servera
Last login: Thu Jul 19 23:45:42 2018 from workstation.lab.example.com
[student@servera ~]$

Use sudo -i to change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Use a text editor to modify /etc/aide.conf. Add selection lines to make AIDE use the CONTENT_EX group definition to monitor for any change to the /etc/shadow and /etc/passwd files. Delete the other selection lines in the configuration file.

Note

Normally, you would have other selection lines in your /etc/aide.conf file. We remove the other lines in order to speed up AIDE scans for the purpose of this exercise.

[root@servera ~]# vim /etc/aide.conf

The last few lines of modified /etc/aide.conf file looks similar to the following:

...output omitted...
# Extended content + file type + access.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

# Some files get updated automatically, so the inode/ctime/mtime
# change
# but we want to know when the data inside them changes.
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database. Aide
# uses a first match system. Put file specific instructions before
# generic
# matches. e.g. Put file matches before directories.

/etc/passwd     CONTENT_EX
/etc/shadow     CONTENT_EX

Use the aide --init command to initialize the AIDE database with the results of a baseline scan.

[root@servera ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Rename the new AIDE database file, /var/lib/aide/aide.db.new.gz, to /var/lib/aide/aide.db.gz so that AIDE uses the newly generated file as the current database.
```
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz \
> /var/lib/aide/aide.db.gz
```
Run the aide --check command to determine the current status of the machine's file systems.
```
[root@servera ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
```
AIDE reports that there have been no changes to the files and directories it monitors. This makes sense, because you have not changed any files or directories since initializing the AIDE database.
AIDE will report that a file has changed, but not what or who changed it. You can add Audit rules to monitor your files so that when AIDE reports a change, you can look in the audit log to determine what or who might have caused that change.
Use the auditctl command to add a persistent Linux Audit watch rule to generate audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/shadow file. Use shadow_watch as the filter key on the audit rule.
```
[root@servera ~]# echo "-w /etc/shadow \
> -p rwxa -k shadow_watch" >> /etc/audit/rules.d/audit.rules
[root@servera ~]# augenrules --load
...output omitted...
```
The augenrules --load command brings the newly added Audit rules into effect.
Use the auditctl -l command to list the Linux Audit rules and verify that the newly added audit rule is currently in effect.
```
[root@servera ~]# auditctl -l
-w /etc/shadow -p rwxa -k shadow_watch
```

Change the student password to redhat. This causes a change to the /etc/shadow file.

[root@servera ~]# passwd student
Changing password for user student.
New password: redhat
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: redhat
passwd: all authentication tokens updated successfully.

Run the aide --check command to check the status of the machine's file systems.

[root@servera ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-07-20 14:46:53

Summary:
  Total number of files:  6
  Added files:            0
  Removed files:          0
  Changed files:          1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/shadow

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/shadow
SHA256   : Lvq+jrfjZzFg77krDaTUwcB85LB9LZJX , FxQh5cRZeFuFKvzbvA2iXWwWoesaVCji

The output of the command should report that the SHA256 checksum (and therefore the content) of the /etc/shadow file has changed.

Note

The values of the SHA256 checksums that you see in the output of the preceding aide command may differ from what you see in your system.

To further investigate the change to /etc/shadow that AIDE reported, use ausearch to search the audit log. You can use the shadow_watch key used by your watch rule to filter for the events relevant to /etc/shadow. You can also use the -i option to convert numbers for UIDs and time stamps into names and more human-readable text.
The following output includes an example of one audit event that could be displayed.
```
[root@servera ~]# ausearch -i -f /etc/shadow -k shadow_watch
...output omitted...
----
type=PROCTITLE msg=audit(07/20/2018 14:30:08.319:631) : proctitle=passwd student
type=PATH msg=audit(07/20/2018 14:30:08.319:631) : item=0 name=/etc/shadow inode=288181 dev=fc:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/20/2018 14:30:08.319:631) :  cwd=/root
type=SYSCALL msg=audit(07/20/2018 14:30:08.319:631) : arch=x86_64 syscall=open success=yes exit=5 a0=0x7f7659b2323c a1=O_RDONLY a2=0x1 a3=0x7f7661aeec8c items=1 ppid=1710 pid=30271 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=15 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=shadow_watch
----
...output omitted...
```
The output of ausearch should find a number of audit events, such as the one in the preceding output. Each event is separated by four dashes in the output, and the event number should appear in the output after the final colon in the time stamp (the msg field in each audit record). This is audit event 631.
This event consists of four records: PROCTITLE, PATH, CWD, and SYSCALL.
- PROCTITLE gives the full command line that triggered the audit event, in this case passwd student.
- PATH shows the file (/etc/shadow) the event affects and provides information about the file such as its inode number, the major/minor number of the device its file system is on, its ownership and permissions, it is a regular file, and so on.
- CWD gives the current working directory the command was run from (/root).
- SYSCALL gives the actual syscall for this record. This is the most interesting output.
  The syscall=open and a1=O_RDONLY fields indicate that this event is logging an attempt to open /etc/shadow in read-only mode. The access was successful (success=yes). The user was on the pseudoterminal on pts/0 (possibly a graphical terminal window or ssh login) at the time. The uid and euid fields indicate that the process was running as root. However, the auid field indicates that the user that ran this command originally logged in as student.
  Other information can be extracted from this event record as well, such as the PID of the process and absolute path to the executable used.
This is not the audit event that caused the change to /etc/shadow, because it opens the file read-only. However, it may be part of the sequence of audit events that led to the change. You need to look further at the output to find the correct event.
Note
The documentation in the Audit System Reference appendix of the Red Hat Enterprise Linux 7 Security Guide provides a list of audit fields and records that can be very useful when interpreting audit events.

Further down in the output of ausearch, there should be an event that occurred at almost the same time, which looks similar to the following output:

...output omitted...
----
type=PROCTITLE msg=audit(07/20/2018 14:30:08.341:633) : proctitle=passwd student
type=PATH msg=audit(07/20/2018 14:30:08.341:633) : item=4 name=/etc/shadow inode=33578439 dev=fc:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=CREATE
type=PATH msg=audit(07/20/2018 14:30:08.341:633) : item=3 name=/etc/shadow inode=288181 dev=fc:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=DELETE
type=PATH msg=audit(07/20/2018 14:30:08.341:633) : item=2 name=/etc/nshadow inode=33578439 dev=fc:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=DELETE
type=PATH msg=audit(07/20/2018 14:30:08.341:633) : item=1 name=/etc/ inode=33554497 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(07/20/2018 14:30:08.341:633) : item=0 name=/etc/ inode=33554497 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(07/20/2018 14:30:08.341:633) :  cwd=/root
type=SYSCALL msg=audit(07/20/2018 14:30:08.341:633) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f251f5bb332 a1=0x7f251f5bb2bc a2=0x7f25213a57b8 a3=0x0 items=5 ppid=1710 pid=30271 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=15 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=shadow_watch

This is audit event 633. Its SYSCALL record indicates that a rename(2) syscall was successfully executed at 14:30:08 on July 20, 2018. It was executed by user root, who originally logged in as user student, by running the /usr/bin/passwd executable on the pts/0 terminal. The PID reported for the process by this record matches the PID of the process that caused the audit event in the previous step of this exercise, so both events were probably caused by the same executing program.

The PROCTITLE record indicates that this was done as part of a passwd student command.

The PATH records indicate that the old /etc/shadow file using inode 288181 was deleted (item 3). Likewise, inode 33578439 was renamed from /etc/nshadow to /etc/shadow (items 2 and 4).

That is the normal way passwd operates. It creates a temporary /etc/nshadow file containing the changes and then copies it over the old shadow password file.

This is the event that changed the /etc/shadow file.

Log out from the servera system completely.

[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Cleanup

On workstation, run the lab aide-investigate cleanup command to clean up this exercise.

[student@workstation ~]$ lab aide-investigate cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c