Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Guided Exercise: Configuring Audit to Record System Events

Verify the availability and configuration of the auditd service, and configure Audit to forward messages to a central server.

Outcomes

  • Install and configure the Audit server to record system events.

  • Forward Audit messages to a central Audit server.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start audit-configuring

Instructions

  1. Verify that Audit is installed and running on the servera machine.

    1. Log in to the servera machine as the student user.

      [student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

    2. Change to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

    3. Verify that the auditd service is running and enabled.

      [root@servera ~]# systemctl is-active auditd
active
[root@servera ~]# systemctl is-enabled auditd
enabled

    4. Verify that the /var/log/audit/audit.log log file records the start of the previous root session with the sudo command.

      This log file records the successful start of a user session for the root user that uses sudo on the pts/1 terminal. Some of these details might be different for your Audit event.

      [root@servera ~]# tail /var/log/audit/audit.log
type=CRED_REFR msg=audit(1697168486.971:110): pid=1184 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="student" AUID="student"
type=USER_START msg=audit(1697168486.976:111): pid=1184 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="student" AUID="student"
type=BPF msg=audit(1697168486.991:112): prog-id=32 op=LOAD
type=BPF msg=audit(1697168486.992:113): prog-id=33 op=LOAD
...output omitted...

  2. Verify the values for the flush and freq variables in the Audit configuration file to adjust the performance for Audit. Modify the value of the name_format variable to include additional information in the Audit log file.

    1. In the /etc/audit/auditd.conf configuration file, verify that the value for the flush option is INCREMENTAL_ASYNC to flush Audit events asynchronously. The value for the freq variable is 50 to flush the Audit log after every 50 records.

      Set the name_format variable to HOSTNAME to include the hostname in the Audit log file.

      [root@servera ~]# cat /etc/audit/auditd.conf
...output omitted...
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = HOSTNAME
...output omitted...

    2. Restart the auditd service to update its configuration.

      [root@servera ~]# service auditd restart
Stopping logging:
Redirecting start to /bin/systemctl start auditd.service

      Note

      The service command is deprecated; do not use it in production environments. The systemctl restart command cannot be used with the auditd service due to the interaction between the daemon and the Linux kernel. In production environments, reboot the machine to ensure that the new configuration is loaded.

  3. Configure the Audit service on the servera machine to send Audit messages to the Audit service on the serverb machine.

    1. Install the audispd-plugins package.

      [root@servera ~]# dnf install audispd-plugins
...output omitted...
Dependencies resolved.
================================================================================
 Package          Arch    Version        Repository                        Size
================================================================================
Installing:
 audispd-plugins  x86_64  3.0.7-103.el9  rhel-9.2-for-x86_64-baseos-rpms   52 k

Transaction Summary
================================================================================
...output omitted...
Is this ok [y/N]: y
...output omitted...

Complete!

    2. In the /etc/audit/plugins.d/au-remote.conf file, set the active option to the yes value to enable remote logging.

      [root@servera ~]# cat /etc/audit/plugins.d/au-remote.conf
..output omitted...
active = yes
...output omitted...

    3. In the /etc/audit/audisp-remote.conf file, set the remote_server option to the serverb.lab.example.com hostname. Use 60 as the port for the remote logging server.

      [root@servera ~]# cat /etc/audit/audisp-remote.conf
#
# This file controls the configuration of the audit remote
# logging subsystem, audisp-remote.
#

remote_server = serverb.lab.example.com
port = 60
...output omitted...

    4. Restart the auditd service to update its configuration.

      [root@servera ~]# service auditd restart
Stopping logging:
Redirecting start to /bin/systemctl start auditd.service

  4. Return to the workstation machine as the student user.

    [root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

  5. Configure the Audit service on the serverb machine to accept Audit messages.

    1. Log in to the serverb machine as the student user.

      [student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

    2. Change to the root user. Use student as the password.

      [student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

    3. In the /etc/audit/auditd.conf file, uncomment the tcp_listen_port variable and set its value to 60 so that the Audit service listens to the TCP port.

      [root@serverb ~]# cat /etc/audit/auditd.conf
...output omitted...
tcp_listen_port = 60
...output omitted...

    4. Open TCP port 60 to enable access to the Audit server.

      [root@serverb ~]# firewall-cmd --zone=public --add-port=60/tcp --permanent
success
[root@serverb ~]# firewall-cmd --reload
success

    5. Restart the auditd service to update its configuration.

      [root@serverb ~]# service auditd restart
Stopping logging:
Redirecting start to /bin/systemctl start auditd.service

    6. Return to the workstation machine as the student user.

      [root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@workstation ~]$

  6. Verify that remote logging for Audit is working.

    1. Log in to the servera machine as the student user.

      [student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

    2. Change to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
[sudo] password for student: student

    3. Return to the workstation machine as the student user.

      [root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

    4. Log in to the serverb machine as the student user.

      [student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

    5. Use the sudo -i command to change to the root user. Use student as the password.

      [student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

    6. Verify that new entries in the Audit log file exist for the message created on the servera machine. When done, log out of the serverb machine.

      [root@serverb ~]# grep servera /var/log/audit/audit.log
...output omitted...
node=servera type=SERVICE_STOP msg=audit(1697169930.355:216): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=servera type=SERVICE_STOP msg=audit(1697169930.362:217): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=servera type=BPF msg=audit(1697169930.366:218): prog-id=0 op=UNLOAD
node=servera type=BPF msg=audit(1697169930.366:219): prog-id=0 op=UNLOAD
node=servera type=SERVICE_STOP msg=audit(1697169930.379:220): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

  7. Return to the workstation machine as the student user.

    [root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish audit-configuring

PreviousNext
Revision: rh415-9.2-a821299