RH415 - ch06s06

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start audit-custom

Instructions

On the servera machine, add a temporary Audit rule that logs every write or attribute change to any file in the /etc/ directory. Add the config-change key to all log messages.

Log in to the servera machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```

Use the sudo -i command to change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Use the auditctl command to add a temporary Audit rule that logs every write or attribute change to any file in the /etc/ directory. Add the config-change key to all log messages.
```
[root@servera ~]# auditctl -w /etc/ -p wa -k config-change
```

Create an empty /etc/sysconfig/testfile file. When done, check your Audit logs for all of today's entries with the config-change key.

[root@servera ~]# touch /etc/sysconfig/testfile
[root@servera ~]# ausearch --start today -k config-change
...output omitted...
time->Thu Oct 12 13:03:50 2023
type=PROCTITLE msg=audit(1697130230.185:112): proctitle=746F756368002F6574632F737973636F6E6669672F7465737466756C65
type=PATH msg=audit(1697130230.185:112): item=1 name="/etc/sysconfig/testfile" inode=16802086 dev=fc:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1697130230.185:112): item=0 name="/etc/sysconfig/" inode=16797929 dev=fc:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1697130230.185:112): cwd="/root"
type=SYSCALL msg=audit(1697130230.185:112): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffed10196a9 a2=941 a3=1b6 items=2 ppid=1175 pid=1204 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="config-change"
...output omitted...

Add a temporary Audit rule that logs any file execution in the /bin/ directory by users with an Audit UID parameter of the 1000 value or higher, or an effective UID parameter of the 0 value. Use the privileged-execution key.

Use the auditctl command to create the temporary Audit rule. Log these Audit messages with the privileged-execution key.

[root@servera ~]# auditctl -a exit,always -F dir=/bin/ -F "auid>=1000" \
    -F "auid!=-1" -F "euid=0" -p x -k privileged-execution

Execute the /bin/true command. When done, run an Audit search on all of this week's entries with the privileged-execution key.

[root@servera ~]# /bin/true
[root@servera ~]# ausearch --start this-week -i \
    -k privileged-execution
...output omitted...
----
type=PROCTITLE msg=audit(10/12/23 14:00:12.826:113) : proctitle=/bin/true
type=PATH msg=audit(10/12/23 14:00:12.826:113) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8389810 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/12/23 14:00:12.826:113) : item=0 name=/bin/true inode=1241 dev=fc:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/12/23 14:00:12.826:113) : cwd=/root
type=EXECVE msg=audit(10/12/23 14:00:12.826:113) : argc=1 a0=/bin/true
type=SYSCALL msg=audit(10/12/23 14:00:12.826:113) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5595f85a5d20 a1=0x5595f8554e80 a2=0x5595f85a6550 a3=0x8 items=2 ppid=1186 pid=1214 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=true exe=/usr/bin/true subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=privileged-execution

Persistently add an Audit rule to your system that audits all system calls for all users with an Audit UID parameter of the 1000 value or higher. Give these rules the delete identifier key.

unlink
unlinkat
rename
renameat
rmdir

Add the following line to the /etc/audit/rules.d/audit.rules file. The rule in the example does not specify the architecture for simplicity.
```
-a exit,always -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -k delete
```

Regenerate the Audit rules by using the augenrules --load command.

[root@servera ~]# augenrules --load
No rules
...output omitted...

As the student user, create and then immediately delete an empty /tmp/testfile file.

[root@servera ~]# logout
[student@servera ~]$ touch /tmp/testfile; rm /tmp/testfile

As the root user, search for all Audit messages with the delete key and the path name /tmp/testfile for this year.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# ausearch --start this-year -i -k delete \
    -f /tmp/testfile
+----+
type=PROCTITLE msg=audit(10/12/23 14:13:39.273:208) : proctitle=rm /tmp/testfile
type=PATH msg=audit(10/12/23 14:13:39.273:208) : item=1 name=/tmp/testfile inode=16802086 dev=fc:04 mode=file,644 ouid=student ogid=student rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/12/23 14:13:39.273:208) : item=0 name=/tmp/ inode=16798505 dev=fc:04 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/12/23 14:13:39.273:208) : cwd=/home/student
type=SYSCALL msg=audit(10/12/23 14:13:39.273:208) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=AT_FDCWD a1=0x55f742fa8c20 a2=0x0 a3=0x200 items=2 ppid=1160 pid=1335 auid=student uid=student gid=student euid=student suid=student fsuid=student egid=student sgid=student fsgid=student tty=pts0 ses=1 comm=rm exe=/usr/bin/rm subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=delete
+----+
...output omitted...

When done, log out of the servera machine.

[root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish audit-custom

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299