RH415 - ch07s05

Use AIDE to detect changes that are made to the /etc directory and its contents.
Configure Audit to log events for changes to file access permissions in the /etc/ssh directory, and to label the log entries with a key.
Change the /etc/ssh file, and detect those changes with AIDE.
Use Audit tools to locate a record that shows which user and process made the changes.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start aide-review

Instructions

Install the aide package as the root user on the serverb machine.

From the workstation machine, log in to the serverb machine as the student user.

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Change to the root user. Use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Install the aide package.

[root@serverb ~]# dnf install aide
...output omitted...
Dependencies resolved.
================================================================================
 Package Arch      Version          Repository                             Size
================================================================================
Installing:
 aide    x86_64    0.16-100.el9     rhel-9.2-for-x86_64-appstream-rpms    154 k

Transaction Summary
================================================================================
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Edit the /etc/aide.conf file to detect changes that are made in the /etc/ssh directory. Add the line to the ssh section in the /etc/aide.conf file.
[root@serverb ~]# cat /etc/aide.conf # ssh /etc/ssh CONTENT_EX /etc/ssh/sshd_config$ CONTENT_EX /etc/ssh/ssh_config$ CONTENT_EX

Initialize the baseline AIDE database.

[root@serverb ~]# aide --init
Start timestamp: 2023-10-16 15:17:51 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	53262

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : lUxpOjxdbnY3+x1sKq8PA==
  SHA1     : ImCD2brbbbRI1GxGqrmaE5To/Ww=
  RMD160   : b+JFmhCsHYkdfjzbC5eYajNSI+c=
  TIGER    : RUZqBTT+pfx0bAahjG15Zub84zsZHLzY
  SHA256   : 0vQpy7LTDRNv1Ig5oSwxngJzInYQDRvC
             rqEEkS9JELM=
  SHA512   : Ymsu3peZuMVQyUT/+jrGD2voEZMaQYg
             GIt10AntZzV4dDdr6AOPjcEt4ELVXQUb
             gimVw46Z1PkwfRG3jxp3DQ==


End timestamp: 2023-10-16 15:18:37 -0400 (run time: 0m 46s)

Rename the new AIDE database file from /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz so that AIDE uses the newly generated file as the current database.
[root@serverb ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Determine the current status of the machine's file systems.

AIDE reports no changes to the files and directories that it monitors, because you have not changed any files or directories after initializing the AIDE database.

[root@serverb ~]# aide --check
Start timestamp: 2023-10-16 15:22:29 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	53262

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : lUxpOjxdbnY3+x1sKq8PA==
  SHA1     : ImCD2brbbbRI1GxGqrmaE5To/Ww=
  RMD160   : b+JFmhCsHYkdfjzbC5eYajNSI+c=
  TIGER    : RUZqBTT+pfx0bAahjG15Zub84zsZHLzY
  SHA256   : 0vQpy7LTDRNv1Ig5oSwxngJzInYQDRvC
             rqEEkS9JELM=
  SHA512   : Ymsu3peZuMVQyUT/+jrGD2voEZMaQYg
             GIt10AntZzV4dDdr6AOPjcEt4ELVXQUb
             gimVw46Z1PkwfRG3jxp3DQ==


End timestamp: 2023-10-16 15:23:11 -0400 (run time: 0m 42s)

Add a persistent Audit watch rule to generate Audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/ssh directory. Use sshd_config_monitor as the filter key on the Audit rule.
[root@serverb ~]# cat /etc/audit/rules.d/audit.rules ...output omitted... -w /etc/ssh -p wa -k sshd_config_monitor
Apply the changes for the newly added Audit rules to take effect.
[root@serverb ~]# augenrules --load ...output omitted...
List the Audit rules and verify that the newly added Audit rule is currently in effect.
[root@serverb ~]# auditctl -l -w /etc/ssh -p wa -k sshd_config_monitor
Make a change in the /etc/ssh directory by modifying the /etc/ssh/sshd_config file. In the /etc/ssh/sshd_config file, uncomment the PasswordAuthentication directive and change the yes value to the no value.
Important
If you make a mistake here, then you might create issues with SSH authentication on the serverb machine, preventing future logins that use the ssh service. If this mistake happens, then rebuild your lab environment and begin this exercise again from the beginning to ensure that you do not encounter further issues in future exercises.
[root@serverb ~]# cat /etc/ssh/sshd_config ...output omitted... PasswordAuthentication no ...output omitted...
Restart the sshd daemon to apply the new changes in the SSH service configuration file.
[root@serverb ~]# systemctl restart sshd

Verify the current status of the machine's file systems with AIDE to ensure that AIDE detects the change in the /etc/ssh/sshd_config file.

[root@serverb ~]# aide --check
Start timestamp: 2023-10-16 15:33:03 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	53263
  Added entries:		1
  Removed entries:		0
  Changed entries:		3
...output omitted...
---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...    .C... : /etc/audit/audit.rules
f   ...    .C... : /etc/audit/rules.d/audit.rules
f   ...    .C... : /etc/ssh/sshd_config

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
...output omitted...
File: /etc/ssh/sshd_config
  SHA512   : Cs01Y1exozdL381/r0KJ7UwoPqu08LYe | 3uQTXYd1wnvJNs+GuLQc84Q9z16yzd0c
             Us+4qpsVDYJMSfePesfYZDHvSKzAEsRt | HKzXcq5/tNmuAF2V+JxG/dQQNu61h4I+
             UiLiWWiIcrL/8R/0dfoCKg==         | uABk/lsWcR0pSrxBMwX/4Q==
...output omitted...

Investigate the Audit log to determine what changed the /etc/ssh/sshd_config file. Use the sshd_config_monitor key to limit the output.

[root@serverb ~]# ausearch -i -f /etc/ssh/sshd_config -k sshd_config_monitor
...output omitted...
type=PROCTITLE msg=audit(10/16/23 15:30:47.188:257) : proctitle=vim /etc/ssh/sshd_config
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=3 name=/etc/ssh/sshd_config~ inode=16809537 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=2 name=/etc/ssh/sshd_config inode=16809537 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=1 name=/etc/ssh/ inode=16797950 dev=fc:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=0 name=/etc/ssh/ inode=16797950 dev=fc:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/16/23 15:30:47.188:257) : cwd=/root
type=SYSCALL msg=audit(10/16/23 15:30:47.188:257) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x556420fce810 a1=0x556421251630 a2=0xfffffffffffffe98 a3=0x0 items=4 ppid=26526 pid=27113 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=vim exe=/usr/bin/vim subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sshd_config_monitor
...output omitted...

Return to the workstation machine as the student user.

[root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade aide-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish aide-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Lab: Monitoring File-system Changes

Important