Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Lab: Monitoring File System Changes

Performance Checklist

In this lab, you will configure AIDE to check for changes to file systems, and use audit watches to identify the causes of those changes.

Outcomes

You should be able to:

  • Detect changes made to the /etc directory and its contents using AIDE.

  • Configure Audit to log writes and changes to access permissions made to files located in the /etc/ssh directory and label the log entries with a key.

  • Make changes to a file in /etc/ssh, detect them with AIDE, and use Audit tools to show that you have a record of which user and process made the changes.

Verify that the workstation and servera machines are started.

Log in to workstation as student using student as the password. On workstation, run the lab aide-review setup command to prepare the classroom environment for the guided exercise. This command:

  • Ensures that the aide package is not installed.

  • Ensures that the auditd service is installed, enabled, and running.

  • Backs up the original Linux Audit rules file, SSH service configuration file, and prelogin message file.

  • Ensures that there are no audit rules in effect on servera. 

[student@workstation ~]$ lab aide-review setup

  1. From workstation, log in to servera as the student user. 

    [student@workstation ~]$ ssh student@servera
Last login: Thu Jul 19 23:45:42 2018 from workstation.lab.example.com
[student@servera ~]$

  2. Use sudo -i to change to the root user. Use student as the password. 

    [student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

  3. Install the aide package.

    [root@servera ~]# yum install aide
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
...output omitted...
Dependencies Resolved

===============================================================================
 Package                   Arch                        Version                              Repository                             Size
===============================================================================
Installing:
 aide                      x86_64                      0.15.1-13.el7                        rhel--server-dvd                      133 k

Transaction Summary
===============================================================================

Install  1 Package
Total download size: 133 k
Installed size: 311 k
Is this ok [y/d/N]: y
...output omitted...
Installed:
  aide.x86_64 0:0.15.1-13.el7

Complete!

  4. Modify /etc/aide.conf file using a text editor following this specification:

    • Configure AIDE to use /var/lib/aide/aide.db.input.gz as its database, and to use /var/lib/aide/aide.db.output.gz as the file in which AIDE puts any updated database it generates.

    • Set a selection line to monitor changes to the /etc directory, as well as all of its contents, using the CONTENT_EX group definition.

    • Delete all other selection lines. 

    [root@servera ~]# vi /etc/aide.conf
[root@servera ~]# grep -e database -e ^/etc /etc/aide.conf | grep -v ^#
database=file:@@{DBDIR}/aide.db.input.gz
database_out=file:@@{DBDIR}/aide.db.output.gz
/etc CONTENT_EX

  5. Initialize the baseline AIDE database. It may take up to a minute for AIDE to initialize.

    [root@servera ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.output.gz initialized.

  6. Rename the newly generated AIDE database file so that it can be used as the current AIDE database. (Remember that you changed the name of both files from the defaults in an earlier step.) 

    [root@servera ~]# mv /var/lib/aide/aide.db.output.gz \
> /var/lib/aide/aide.db.input.gz

  7. Manually run AIDE to check the machine's file systems. It may take up to a minute for AIDE to produce a report. It should report that no changes have been found. 

    [root@servera ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

  8. Add a persistent Audit rule to watch files in /etc/ssh for writes and permission changes. Set the filter key on the rule to sshd_config_monitor. 

    [root@servera ~]# vi /etc/audit/rules.d/audit.rules
[root@servera ~]# cat /etc/audit/rules.d/audit.rules
-w /etc/ssh -p wa -k sshd_config_monitor
[root@servera ~]# augenrules --load
...output omitted...

  9. Verify that the new audit rule is active.

    [root@servera ~]# auditctl -l
-w /etc/ssh -p wa -k sshd_config_monitor

  10. Make a change in the /etc/ssh directory by modifying /etc/ssh/sshd_config to change the directive PasswordAuthentication yes to PasswordAuthentication no.

    Important

    If you make a mistake here, you could create issues with SSH authentication on servera, preventing future logins using ssh. If this happens, remember that you can still use the web console to log in to the virtualized local console of servera.

    To do so, navigate to the same web page you used to access the console of your workstation machine. Click OPEN CONSOLE for the servera machine, which opens the system console in a new tab of the same browser window. 

    [root@servera ~]# vi /etc/ssh/sshd_config
[root@servera ~]# grep -e PasswordAuthentication \
> /etc/ssh/sshd_config | grep -v ^#
PasswordAuthentication no

    The PasswordAuthentication parameter in the configuration file of SSH service is used to enable or disable password-based authentication.

  11. Restart sshd daemon to bring the new changes in SSH service configuration file into effect.

    [root@servera ~]# systemctl restart sshd.service

  12. Verify the current status of the machine's file systems with AIDE to ensure that AIDE detects the change in the /etc/ssh/sshd_config file. It may take up to a minute for AIDE to verify the current status of the file system. 

    [root@servera ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-08-08 12:07:16

Summary:
  Total number of files:        2606
  Added files:                  1
  Removed files:                0
  Changed files:                3


---------------------------------------------------
Added files:
---------------------------------------------------

added: /etc/audit/audit.rules.prev

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/audit/audit.rules
changed: /etc/audit/rules.d/audit.rules
changed: /etc/ssh/sshd_config

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/audit/audit.rules
 SHA256   : 1lkvlZvfS4zgXvxmS/TJrYM/ahmPin22 , xc9agKbbIPrH3LJizE6D97D/yuBfgZG9

File: /etc/audit/rules.d/audit.rules
 SHA256   : +YSYvMyRF20XxGguD+MtNubOmGyU/vNC , k6HtwLf/x1p9xhOBTycAoav8Xb5ZoC8O

File: /etc/ssh/sshd_config
 SHA256   : gyKEuCSYy7jrEJu3Ykb47A6yPb0vWh5y , PpatkEVTfhKpfK9rvu3cRd0NFfl1WDKt

    Notice that AIDE detected the change to /etc/ssh/sshd_config. It also detected the change to /etc/audit/rules.d/audit.rules when you set up the new audit rule, because you did that after the last update of the AIDE database.

  13. Investigate the audit log to determine what changed the /etc/ssh/sshd_config file. Use the sshd_monitor_config key to limit the output.

    • A rename(2) syscall that moves the existing /etc/ssh/sshd_config to /etc/ssh/sshd_config~ as a temporary backup.

    • An open(2) syscall in write-only/create mode to create a new /etc/ssh/sshd_config that will contain the edited content. (An example of this event is shown in the preceding example output.)

    • Some chmod(2) and setxattr(2) syscalls to set permissions and the SELinux context on the new /etc/ssh/sshd_config file.

    • An unlink(2) syscall to remove the /etc/ssh/sshd_config~ backup of the original file. 

    [root@servera ~]# ausearch -i -f /etc/ssh/sshd_config -k sshd_config_monitor
...output omitted...
----
type=PROCTITLE msg=audit(08/06/2018 21:37:26.588:1919) : proctitle=vi /etc/ssh/sshd_config
type=PATH msg=audit(08/06/2018 21:37:26.588:1919) : item=1 name=/etc/ssh/sshd_config inode=7201 dev=fc:01 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=CREATE
type=PATH msg=audit(08/06/2018 21:37:26.588:1919) : item=0 name=/etc/ssh/ inode=156604 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(08/06/2018 21:37:26.588:1919) :  cwd=/root
type=SYSCALL msg=audit(08/06/2018 21:37:26.588:1919) : arch=x86_64 syscall=open success=yes exit=3 a0=0x1c576f0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0600 a3=0x0 items=2 ppid=9268 pid=9986 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=84 comm=vi exe=/usr/bin/vi subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sshd_config_monitor
----
...output omitted...

    If you used vi as shown in the preceding steps, you will see the following audit log events from a single process (which all share the same PID number):

    These events are all associated with a vi /etc/ssh/sshd_config PROCTITLE run by a user that originally logged in as student but who is now root, on a particular terminal (in the example, pts/0, but this may differ in the lab).

  14. Log out from the servera system completely.

    [root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Evaluation

As student user on workstation machine, run lab monitoring grade to confirm that the lab exercise is successfully completed. Correct any reported error and rerun the command. 

[student@workstation ~]$ lab aide-review grade

Cleanup

On workstation, run the lab aide-review cleanup command to clean up this exercise. 

[student@workstation ~]$ lab aide-review cleanup

This concludes the lab.

PreviousNext
Revision: rh415-7.5-813735c