Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Lab: Recording Events and Monitoring File-system Changes with PAM, Audit, and AIDE

Configure password quality requirements, configure system event recording, and monitor file-system changes.

Outcomes

  • Configure remote Audit logs.

  • Enable prepackaged Audit rules.

  • Enable auditing of TTY and enable the pam_pwquality module by using an authselect security profile.

  • Configure Audit to log events for changes to file access permissions in the /etc/ssh directory, and to label the log entries with a key.

  • Change the /etc/ssh file, and detect those changes with AIDE.

  • Use Audit tools to locate a record that shows which user and process made the changes.

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compreview-aide

Specifications

  • Configure the Audit service on the servera machine to send messages to the Audit service on the serverb.lab.example.com host. After configuration, use the service auditd restart command to restart the daemon and to load the new configuration.

  • Configure the Audit service on the serverb machine to accept messages from the Audit service on the servera machine. After configuration, use the service auditd restart command to restart the daemon and to load the new configuration.

  • Enable the prepackaged STIG Audit rules on the servera machine.

  • Create and select the custom/minimal-with-tty-audit security profile based on the minimal security profile on the servera machine to enable the pam_tty_audit PAM module.

  • Adjust the password quality requirements on the servera machine to require at least one uppercase letter.

  • Install and configure the aide package as the root user on the servera machine to detect changes that are made in the /etc/ssh directory.

  • Add a persistent Audit watch rule on the servera machine to generate Audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/ssh directory. Use sshd_config_monitor as the filter key on the Audit rule.

  • Make a change in the /etc/ssh directory of the servera machine by modifying the /etc/ssh/sshd_config file. In the /etc/ssh/sshd_config file, uncomment the PasswordAuthentication directive and change the yes value to the no value.

  1. Configure the Audit service on the servera machine to send messages to the Audit service on the serverb.lab.example.com host. After configuration, use the service auditd restart command to restart the daemon and to load the new configuration.

    Note

    The service command is deprecated; do not use it in production environments. The systemctl restart command cannot be used with the auditd service due to the interaction between the daemon and the Linux kernel. In production environments, reboot the machine to ensure that the new configuration is loaded.

    1. Log in to the servera machine as the student user.

      [student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

    2. Change to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

    3. Install the audispd-plugins package.

      [root@servera ~]# dnf -y install audispd-plugins
...output omitted...

    4. In the /etc/audit/plugins.d/au-remote.conf file, set the value for the active variable to yes to enable remote logging.

      [root@servera ~]# cat /etc/audit/plugins.d/au-remote.conf
...output omitted...
active = yes
...output omitted...

    5. In the /etc/audit/audisp-remote.conf file, set the remote_server variable to the serverb.lab.example.com hostname. Also, set the port to be used in the remote logging server, which is 60 by default.

      [root@servera ~]# cat /etc/audit/audisp-remote.conf
...output omitted...
remote_server = serverb.lab.example.com
port = 60
...output omitted...

    6. Restart the auditd service to update its configuration. When done, return to the workstation machine as the student user.

      [root@servera ~]# service auditd restart
...output omitted...
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

  2. Configure the Audit service on the serverb machine to accept messages from the Audit service on the servera machine. After configuration, use the service auditd restart command to restart the daemon and to load the new configuration.

    1. Log in to the serverb machine as the student user.

      [student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

    2. Change to the root user. Use student as the password.

      [student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

    3. In the /etc/audit/auditd.conf file, uncomment the tcp_listen_port variable, and set its value to 60 so that the Audit service listens on the 60 TCP port.

      [root@serverb ~]# cat /etc/audit/auditd.conf
...output omitted...
tcp_listen_port = 60
...output omitted...

    4. Open the 60 TCP port to enable access to the Audit server.

      [root@serverb ~]# firewall-cmd --zone=public --add-port=60/tcp --permanent
success
[root@serverb ~]# firewall-cmd --reload
success

    5. Restart the auditd service to update its configuration. When done, return to the workstation machine as the student user.

      [root@serverb ~]# service auditd restart
...output omitted...
[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$

  3. Enable the prepackaged STIG Audit rules on the servera machine.

    1. Log in to the servera machine as the student user.

      [student@workstation ~]$ ssh student@servera
...output omitted...
[student@servera ~]$

    2. Change to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

    3. Copy the /usr/share/audit/sample-rules/30-stig.rules file with the STIG Audit rules into the /etc/audit/rules.d/ directory.

      [root@servera ~]# cp /usr/share/audit/sample-rules/30-stig.rules \
    /etc/audit/rules.d/

    4. Load the STIG Audit rules with the augenrules --load command.

      [root@servera ~]# augenrules --load
...output omitted...

  4. Create and select the custom/minimal-with-tty-audit security profile based on the minimal security profile to enable the pam_tty_audit PAM module for the student user.

    1. Create the minimal-with-tty-audit security profile.

      [root@servera ~]# authselect create-profile minimal-with-tty-audit \
    -b minimal --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/minimal-with-tty-audit

    2. Add entries to the /etc/authselect/custom/minimal-with-tty-audit/system-auth and /etc/authselect/custom/minimal-with-tty-audit/password-auth files to enable the pam_tty_audit module for the student user.

      [root@servera ~]# echo "session required pam_tty_audit.so enable=student" \
    >> /etc/authselect/custom/minimal-with-tty-audit/system-auth
[root@servera ~]# echo "session required pam_tty_audit.so enable=student" \
    >> /etc/authselect/custom/minimal-with-tty-audit/password-auth

    3. Enable the custom/minimal-with-tty-audit security profile.

      [root@servera ~]# authselect select custom/minimal-with-tty-audit --force
...output omitted...

  5. Adjust the password quality requirements on the servera machine to require at least one uppercase character.

    1. Use a text editor to edit the /etc/security/pwquality.conf file to uncomment the ucredit entry and change its value to -1.

      ...output omitted...
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = -1
...output omitted...

  6. Install the aide package as the root user on the servera machine.

    [root@servera ~]# dnf -y install aide
...output omitted...
Dependencies resolved.
================================================================================
 Package Arch      Version          Repository                             Size
================================================================================
Installing:
 aide    x86_64    0.16-100.el9     rhel-9.2-for-x86_64-appstream-rpms    154 k

Transaction Summary
================================================================================
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

  7. Edit the /etc/aide.conf file to detect changes that are made in the /etc/ssh directory. Add the line to the ssh section in the /etc/aide.conf file.

    [root@servera ~]# cat /etc/aide.conf
...output omitted...
# ssh
/etc/ssh CONTENT_EX
/etc/ssh/sshd_config$ CONTENT_EX
/etc/ssh/ssh_config$ CONTENT_EX
...output omitted...

  8. Initialize the baseline AIDE database.

    [root@servera ~]# aide --init
Start timestamp: 2023-10-16 15:17:51 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	53262

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : lUxpOjxdbnY3+x1sKq8PA==
  SHA1     : ImCD2brbbbRI1GxGqrmaE5To/Ww=
  RMD160   : b+JFmhCsHYkdfjzbC5eYajNSI+c=
  TIGER    : RUZqBTT+pfx0bAahjG15Zub84zsZHLzY
  SHA256   : 0vQpy7LTDRNv1Ig5oSwxngJzInYQDRvC
             rqEEkS9JELM=
  SHA512   : Ymsu3peZuMVQyUT/+jrGD2voEZMaQYg
             GIt10AntZzV4dDdr6AOPjcEt4ELVXQUb
             gimVw46Z1PkwfRG3jxp3DQ==

End timestamp: 2023-10-16 15:18:37 -0400 (run time: 0m 46s)

  9. Rename the new AIDE database file from /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz so that AIDE uses the newly generated file as the current database.

    [root@servera ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

  10. Determine the current status of the machine's file systems.

    AIDE reports no changes to the files and directories that it monitors, because you have not changed any files or directories after initializing the AIDE database.

    [root@servera ~]# aide --check
Start timestamp: 2023-10-16 15:22:29 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	53262

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : lUxpOjxdbnY3+x1sKq8PA==
  SHA1     : ImCD2brbbbRI1GxGqrmaE5To/Ww=
  RMD160   : b+JFmhCsHYkdfjzbC5eYajNSI+c=
  TIGER    : RUZqBTT+pfx0bAahjG15Zub84zsZHLzY
  SHA256   : 0vQpy7LTDRNv1Ig5oSwxngJzInYQDRvC
             rqEEkS9JELM=
  SHA512   : Ymsu3peZuMVQyUT/+jrGD2voEZMaQYg
             GIt10AntZzV4dDdr6AOPjcEt4ELVXQUb
             gimVw46Z1PkwfRG3jxp3DQ==


End timestamp: 2023-10-16 15:23:11 -0400 (run time: 0m 42s)

  11. Add a persistent Audit watch rule to generate Audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/ssh directory. Use sshd_config_monitor as the filter key on the Audit rule.

    [root@servera ~]# cat /etc/audit/rules.d/audit.rules
...output omitted...
-w /etc/ssh -p wa -k sshd_config_monitor

  12. Apply the changes for the newly added Audit rules to take effect.

    [root@servera ~]# augenrules --load
...output omitted...

  13. List the Audit rules and verify that the newly added Audit rule is currently in effect.

    [root@servera ~]# auditctl -l
...output omitted...
-w /etc/ssh -p wa -k sshd_config_monitor

  14. Make a change in the /etc/ssh directory by modifying the /etc/ssh/sshd_config file. In the /etc/ssh/sshd_config file, uncomment the PasswordAuthentication directive and change the yes value to the no value.

    Important

    If you make a mistake here, then you might create issues with SSH authentication on the servera machine, preventing future logins that use the ssh service. If this mistake happens, then rebuild your lab environment and begin this exercise again from the beginning to ensure that you do not encounter further issues in future exercises.

    [root@servera ~]# cat /etc/ssh/sshd_config
...output omitted...
PasswordAuthentication no
...output omitted...

  15. Restart the sshd daemon to apply the new changes in the SSH service configuration file.

    [root@servera ~]# systemctl restart sshd

  16. Verify the current status of the machine's file systems with AIDE to ensure that AIDE detects the change in the /etc/ssh/sshd_config file.

    [root@servera ~]# aide --check
Start timestamp: 2023-10-16 15:33:03 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	53263
  Added entries:		1
  Removed entries:		0
  Changed entries:		3
...output omitted...
---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...    .C... : /etc/audit/audit.rules
f   ...    .C... : /etc/audit/rules.d/audit.rules
f   ...    .C... : /etc/ssh/sshd_config

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
...output omitted...
File: /etc/ssh/sshd_config
  SHA512   : Cs01Y1exozdL381/r0KJ7UwoPqu08LYe | 3uQTXYd1wnvJNs+GuLQc84Q9z16yzd0c
             Us+4qpsVDYJMSfePesfYZDHvSKzAEsRt | HKzXcq5/tNmuAF2V+JxG/dQQNu61h4I+
             UiLiWWiIcrL/8R/0dfoCKg==         | uABk/lsWcR0pSrxBMwX/4Q==
...output omitted...

  17. Investigate the Audit log to determine what changed the /etc/ssh/sshd_config file. Use the sshd_config_monitor key to limit the output.

    [root@servera ~]# ausearch -i -f /etc/ssh/sshd_config -k sshd_config_monitor
...output omitted...
type=PROCTITLE msg=audit(10/16/23 15:30:47.188:257) : proctitle=vim /etc/ssh/sshd_config
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=3 name=/etc/ssh/sshd_config~ inode=16809537 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=2 name=/etc/ssh/sshd_config inode=16809537 dev=fc:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=1 name=/etc/ssh/ inode=16797950 dev=fc:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/16/23 15:30:47.188:257) : item=0 name=/etc/ssh/ inode=16797950 dev=fc:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/16/23 15:30:47.188:257) : cwd=/root
type=SYSCALL msg=audit(10/16/23 15:30:47.188:257) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x556420fce810 a1=0x556421251630 a2=0xfffffffffffffe98 a3=0x0 items=4 ppid=26526 pid=27113 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=vim exe=/usr/bin/vim subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sshd_config_monitor
...output omitted...

  18. Return to the workstation machine as the student user.

    [root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-aide

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-aide

PreviousNext
Revision: rh415-9.2-a821299