Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Guided Exercise: Enabling Prepackaged Audit Rule Sets

Configure prepackaged Audit rules, and configure the Audit subsystem to log terminal activity.

Outcomes

  • Enable prepackaged Audit rules.

  • Audit TTY with the pam_tty_audit PAM module.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start audit-rulesets

Instructions

  1. Enable the prepackaged STIG Audit rules on the servera machine.

    1. Log in to the servera machine as the student user. No password is required.

      [student@workstation ~]$ ssh student@servera
[student@servera ~]$

    2. Use the sudo -i command to switch identity to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

    3. Copy the /usr/share/audit/sample-rules/30-stig.rules file with the STIG Audit rules to the /etc/audit/rules.d/ directory.

      [root@servera ~]# cp /usr/share/audit/sample-rules/30-stig.rules \
    /etc/audit/rules.d/

    4. Load the STIG Audit rules with the augenrules --load command.

      [root@servera ~]# augenrules --load
...output omitted...

  2. Verify that the STIG Audit rules are working correctly.

    1. Find the STIG Audit rules that use the identity key.

      [root@servera ~]# grep identity /etc/audit/rules.d/30-stig.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

    2. Create a user called testuser to test the previous STIG Audit rules. Creating a new user modifies the files that are associated with the rules that use the identity key (for example, /etc/passwd), and triggers the STIG Audit rules.

      [root@servera ~]# useradd testuser

    3. Search the Audit log for the identity key to verify that the previous STIG Audit rules are active.

      [root@servera ~]# ausearch -k identity
...output omitted...
type=PATH msg=audit(1697528559.373:1784): item=0 name="/etc/passwd" inode=8622253 dev=fc:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
...output omitted...
type=PATH msg=audit(1697528559.396:1787): item=0 name="/etc/shadow" inode=8391348 dev=fc:04 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
...output omitted...
type=SYSCALL msg=audit(1697528559.441:1793): arch=c000003e syscall=82 success=yes exit=0 a0=7ffc0f270c00 a1=56423929d880 a2=7ffc0f270b70 a3=100 items=5 ppid=3303 pid=3351 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=63 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"
...output omitted...

      If you find Audit events with the correct key, then you have successfully configured the prepackaged Audit rules.

  3. Now that you have configured prepackaged Audit rules, you will configure keystroke logging.

    Configure the pam_tty_audit PAM module to enable auditing of TTY for the student user on the servera machine.

    1. Create a custom authselect profile that adds the pam_tty_audit module to the PAM configuration.

      [root@servera ~]# authselect create-profile minimal-with-tty-audit \
    -b minimal --symlink-meta --symlink-pam
...output omitted...
[root@servera ~]# echo "session required pam_tty_audit.so disable=student" \
    " enable=devops log_passwd" \
    >> /etc/authselect/custom/minimal-with-tty-audit/system-auth
[root@servera ~]# echo "session required pam_tty_audit.so disable=student" \
    " enable=devops log_passwd" \
    >> /etc/authselect/custom/minimal-with-tty-audit/password-auth

    2. Enable the custom authselect profile.

      [root@servera ~]# authselect select custom/minimal-with-tty-audit --force

    3. Log in to the servera machine as the devops user and run the ls /tmp command to test that the auditing of TTY is working. When done, log off and then log in to the servera machine as the root user.

      Note

      Do not use tab completion to type the following commands. Typing the commands ensures that the actual keystrokes to enter those commands are logged for the ls /tmp and logout commands, instead of displaying the first few characters and a Tab character.

      This example demonstrates something to keep in mind about keystroke logging. The keystrokes that are typed are logged, but you might need to reconstruct the effect of those keystrokes, based on the programs that are used.

      [root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$ ssh devops@servera
[devops@servera ~]$ ls /tmp
...output omitted...
[devops@servera ~]$ logout
[student@workstation ~]$ ssh root@servera

    4. Verify the Audit logs for the previous commands with the aureport --tty command. When done, log off from the servera machine.

      [root@servera ~]# aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 10/17/23 04:00:15 1925 1001 pts0 69 bash "ls /tmp",<ret>,"exit",<ret>

[root@servera ~]# logout
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish audit-rulesets

PreviousNext
Revision: rh415-9.2-a821299