RH415 - ch06s09

Bookmark this page

Lab: Recording System Events with Audit

Configure remote Audit logs, enable prepackaged STIG Audit rules, and record terminal activity.

Outcomes

Configure remote Audit logs.
Enable prepackaged Audit rules.
Enable auditing of TTY.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start audit-review

Instructions

Configure the Audit service on the servera machine to send Audit messages to the Audit service on the serverb.lab.example.com host. After configuration, use the service auditd restart command to restart the daemon and load the new configuration.
Note
The service command is deprecated; do not use it production environments. The systemctl restart command cannot be used with the auditd service due to the interaction between the daemon and the Linux kernel. In production environments, reboot the machine to ensure that the new configuration is loaded.
Log in to the servera machine as the student user.
[student@workstation ~]$ ssh student@servera ...output omitted... [student@servera ~]$
Change to the root user. Use student as the password.
[student@servera ~]$ sudo -i [sudo] password for student: student [root@servera ~]#
Install the audispd-plugins package.
[root@servera ~]# dnf -y install audispd-plugins ...output omitted...
In the /etc/audit/plugins.d/au-remote.conf file, set the value for the active variable to yes to enable remote logging.
[root@servera ~]# cat /etc/audit/plugins.d/au-remote.conf ...output omitted... active = yes ...output omitted...
In the /etc/audit/audisp-remote.conf file, set the remote_server variable to the serverb.lab.example.com hostname. Also, set the port to be used in the remote logging server, which is 60 by default.
[root@servera ~]# cat /etc/audit/audisp-remote.conf ...output omitted... remote_server = serverb.lab.example.com port = 60 ...output omitted...
Restart the auditd service to update its configuration. When done, return to the workstation machine as the student user.
[root@servera ~]# service auditd restart Stopping logging: Redirecting start to /bin/systemctl start auditd.service [root@servera ~]# logout [student@servera ~]$ logout [student@workstation ~]$
Configure the Audit service on the serverb machine to accept the Audit messages from the Audit service on the servera machine. After configuration, use the service auditd restart command to restart the daemon and load the new configuration.
Log in to the serverb machine as the student user.
[student@workstation ~]$ ssh student@serverb ...output omitted... [student@serverb ~]$
Change to the root user. Use student as the password.
[student@serverb ~]$ sudo -i [sudo] password for student: student [root@serverb ~]#
In the /etc/audit/auditd.conf file, uncomment the tcp_listen_port variable, and set its value to 60 so that the Audit service listens on the 60 TCP port.
[root@serverb ~]# vim /etc/audit/auditd.conf ...output omitted... tcp_listen_port = 60 ...output omitted...
Open the 60 TCP port to enable access to the Audit server.
[root@serverb ~]# firewall-cmd --zone=public --add-port=60/tcp \ --permanent success [root@serverb ~]# firewall-cmd --reload success
Restart the auditd service to update its configuration. When done, return to the workstation machine as the student user.
[root@serverb ~]# service auditd restart Stopping logging: Redirecting start to /bin/systemctl start auditd.service [root@serverb ~]# logout [student@serverb ~]$ logout [student@workstation ~]$

Log in to the servera machine as the student user to verify that remote logging for Audit is working. Use the auditctl -m command to send the Audit message: This is a test message from servera.

[student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

Change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Use the auditctl -m command to write a test message to the Audit log: This is a test message from servera. When done, return to the workstation machine as the student user.
```
[root@servera ~]# auditctl -m 'This is a test message from servera'
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$
```

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Change to the root user. Use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Verify that a new entry in the Audit log file exists for the message that was created on the servera machine. When done, return to the workstation machine as the student user.

[root@serverb ~]$ grep servera /var/log/audit/audit.log
type=USER msg=audit(1697216044.752:241): pid=26638 uid=0 auid=0 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='text=This is a test message from servera exe="/usr/sbin/auditctl" hostname=servera addr=? terminal=pts/0 res=success'UID="root" AUID="root"
type=USER msg=audit(1697216087.366:284): pid=26679 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='text=This is a test message from servera exe="/usr/sbin/auditctl" hostname=servera addr=? terminal=pts/0 res=success'UID="root" AUID="root"
[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$

Enable the prepackaged STIG Audit rules on the servera machine.
Log in to the servera machine as the student user.
[student@workstation ~]$ ssh student@servera ...output omitted... [student@servera ~]$
Change to the root user. Use student as the password.
[student@servera ~]$ sudo -i [sudo] password for student: student [root@servera ~]#
Copy the /usr/share/audit/sample-rules/30-stig.rules file with the STIG Audit rules into the /etc/audit/rules.d/ directory.
[root@servera ~]# cp /usr/share/audit/sample-rules/30-stig.rules \ /etc/audit/rules.d/
Load the STIG Audit rules with the augenrules --load command.
[root@servera ~]# augenrules --load ...output omitted...

On the servera machine, some STIG Audit rules mark events that affect identity, user, or group information with the identity key string. Verify that those rules work correctly by creating the labuser user and confirming that Audit creates records marked with the identity key string.

Verify which STIG Audit rules use the identity key.

[root@servera ~]# grep identity /etc/audit/rules.d/30-stig.rules
## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

Create the labuser user to test the previous STIG Audit rules. Creating a new user modifies the files that are associated with the rules that use the identity key (for example /etc/passwd), and triggers those STIG Audit rules.
```
[root@servera ~]# useradd labuser
```

Search the Audit log for the identity key to verify that the previous STIG Audit rules are active.

[root@servera ~]# ausearch -k identity
...output omitted...
----
time->Fri Oct 13 18:16:20 2023
type=PROCTITLE msg=audit(1697235380.471:468): proctitle=75736572616464007465737475736572
type=PATH msg=audit(1697235380.471:468): item=4 name="/etc/gshadow" inode=8393349 dev=fc:04 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1697235380.471:468): item=3 name="/etc/gshadow" inode=8393365 dev=fc:04 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1697235380.471:468): item=2 name="/etc/gshadow+" inode=8393349 dev=fc:04 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1697235380.471:468): item=1 name="/etc/" inode=8388736 dev=fc:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1697235380.471:468): item=0 name="/etc/" inode=8388736 dev=fc:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1697235380.471:468): cwd="/root"
type=SYSCALL msg=audit(1697235380.471:468): arch=c000003e syscall=82 success=yes exit=0 a0=7fff46201d30 a1=5586f7ef0880 a2=7fff46201ca0 a3=100 items=5 ppid=27033 pid=27103 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity"

Create and select the custom/lab-minimal-with-tty-audit security profile based on the minimal security profile to enable the pam_tty_audit PAM module for the student user.

Create the lab-minimal-with-tty-audit security profile.

[root@servera ~]# authselect create-profile lab-minimal-with-tty-audit \
    -b minimal --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/lab-minimal-with-tty-audit

Add entries to the /etc/authselect/custom/lab-minimal-with-tty-audit/system-auth and /etc/authselect/custom/lab-minimal-with-tty-audit/password-auth files to enable the pam_tty_audit.so module for the student user.

[root@servera ~]# echo "session required pam_tty_audit.so enable=student" \
    >> /etc/authselect/custom/lab-minimal-with-tty-audit/system-auth
[root@servera ~]# echo "session required pam_tty_audit.so enable=student" \
    >> /etc/authselect/custom/lab-minimal-with-tty-audit/password-auth

Enable the custom/lab-minimal-with-tty-audit security profile.

[root@servera ~]# authselect select custom/lab-minimal-with-tty-audit --force
...output omitted...

Return to the workstation machine as the student user.

[root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade audit-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish audit-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Lab: Recording System Events with Audit

Note