RH415 - ch06s07

The audit package comes with a set of sample Audit rule sets. This rule set is a good starting point for a practical security policy implementation. These rules are available in the /usr/share/audit/sample-rules directory as files with the suffix .rules. The /usr/share/audit/sample-rules/README-rules file provides basic instructions for using the rules, and the individual rule files contain comments about how they should be used and whether additional rule files should also be loaded.

Each name of a rule file starts with a number to help ensure that the rules are loaded in the correct order. Remember that order is important when loading rules.

The following rule files are included:

30-nispom.rules, which is intended to meet the requirements of the Information System Security chapter of the National Industrial Security Program Operating Manual.
30-pci-dss-v31.rules, which is intended to meet the requirements set by the Payment Card Industry Data Security Standard (PCI DSS) v3.1.
30-stig.rules, which is intended to meet the requirements set by the US Department of Defense Security Technical Implementation Guides (STIGs).

Each rule file contains several individual rules. A number sign (#) marks the start of a comment. Only the uncommented rules are enabled for loading. You must not enable all the rules in the file at the same time because some rules might conflict with others.

Enabling Sample Rule Sets

To use one of these sample rule sets, copy the .rules file or files to the /etc/audit/rules.d directory, and run the augenrules --load command to reload the Audit rules. These example files do not guarantee full compliance as written, but the files do give you a starting point to configure your environment.

After copying one of these default rule sets, you must review the file and follow any instructions to enable or disable certain rules for your environment. For example, the 99-finalize.rules file contains a commented-out control rule to make the rule configuration immutable. You need to enable that control rule for production.

Full Terminal Keystroke Logging

Some auditing policies require that every keystroke a user makes is logged. Audit provides this functionality with the pam_tty_audit PAM module. Every keystroke is then recorded in the Audit log (/var/log/audit/audit.log).

To enable keystroke logging, you must add the pam_tty_audit module to the /etc/pam.d/system-auth and the /etc/pam.d/password-auth files. This configuration ensures that all daemons started by the system that implement some form of terminal functionality have their keystrokes logged as well, unless explicitly disabled in their PAM configuration.

Note

The pam_tty_audit.so module only implements session functionality. Adding the module to any other section in PAM prevents any user from logging in at all.

The pam_tty_audit module takes either the enable or the disable options. Both options take as arguments a comma-separated list of patterns for user names to enable and disable, respectively. The following example enables keystroke logging for the demo user, and disables it for all other users. Note that you must create a custom authselect profile to enable the module.

[root@host ~]# authselect create-profile minimal-with-tty-audit \
    -b minimal --symlink-meta --symlink-pam
...output omitted...
[root@host ~]# echo "session required pam_tty_audit.so disable=student enable=devops log_passwd" \
    >> /etc/authselect/custom/minimal-with-tty-audit/system-auth
[root@host ~]# echo "session required pam_tty_audit.so disable=student enable=devops log_passwd" \
    >> /etc/authselect/custom/minimal-with-tty-audit/password-auth
[root@host ~]# authselect select custom/minimal-with-tty-audit --force

If both an enable= pattern and a disable= pattern match a user, the last one on the command line is the pattern that applies.

To convert the data logged in the Audit system to a more readable format, you can use the aureport --tty command.

Important

Keystroke logging can require a large amount of storage on the system. You must consider this issue before enabling this functionality.

In addition, there might be certain legal restrictions or requirements on the use of keystroke logging in your location or the location of your data centers and users. You must discuss these questions with your legal counsel before implementing keystroke logging.

References

pam_tty_audit(8) man page

For more information, refer to the Pre-configured Audit Rules Files for Compliance with Standards section in the Auditing the System chapter in the Red Hat Enterprise Linux 9 Security Hardening guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening#pre-configured-audit-rules-files-for-compliance-with-standards_auditing-the-system

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299