Unix - Solaris Integration

Introduction

This document will describe the audit policy definition for log sources related to Unix operating systems and the process of sending logs to logsign.

 

Used Services

  • Rsyslog
  • Auditd

 

Requirements

  • Firewall Access (Permission to access Logsign Syslog IP on UDP 514 or TCP 515 ports)
  • A user with root privileges for installation on the source where logs will be collected.

 

Attribute

Auditd

Auditd (Audit Daemon) is a tool used to perform security auditing and generate event logs on Unix and Unix-like operating systems. The abbreviation "auditd" stands for "audit daemon," and it manages the security auditing subsystem of Linux. Auditd tracks, monitors, and logs events that occur on the system.

The main functions of Auditd are as follows:

Security Auditing: Auditd monitors and tracks various events on a Linux system. For example, it can audit file and directory changes, user sessions, network traffic, and more.

Logging: Auditd records the events it monitors in a log file. This log file can be used by system administrators or security experts to review and analyze events.

Monitoring and Alerts: Auditd can generate alerts when specific events or actions occur. This can help identify potential security breaches or abnormal activities.

Monitoring Rules: Rules can be defined to determine what Auditd will audit and log. These rules can be customized by system administrators.

Investigation and Analysis: Auditd logs can be used to investigate security events and detect anomalies in the system, providing better protection against security threats.

Auditd is crucial, especially in large-scale organizations and systems that handle sensitive data, to meet security requirements. It can be used to ensure compliance with security policies and detect potential threats. However, configuring and managing Auditd can be complex, so the assistance of an experienced system administrator may be required.

 

Rsyslog

Rsyslog (Red Hat System Logging Protocol) is a logging system used to collect, route, and process event logs on Unix and Unix-like operating systems. Rsyslog provides a flexible and powerful solution for log collection and processing and is often used as the default logging system in Linux distributions.

Some key features of Rsyslog include:

Modular Architecture: Rsyslog has a modular architecture, allowing it to accept log data from various sources and route it to different destinations. This enables easy configuration of different logging sources and targets.

Powerful Filtering: Rsyslog can filter log data based on specific criteria, allowing you to capture only certain types of log entries or monitor specific levels of errors.

Remote Logging: Rsyslog can transmit log data to remote servers. This is useful for collecting log data on remote logging servers and creating a centralized logging infrastructure.

Robust Routing: Rsyslog can route log data to different destinations, allowing logs to be directed to different files, databases, or even email notifications.

TCP/UDP Support: Rsyslog can transmit log data over both TCP and UDP protocols, providing flexibility in log transmission.

Customizability: Rsyslog can be easily customized through configuration files to meet various requirements.

Rsyslog is commonly used by system administrators and security experts to monitor system performance, diagnose issues, and investigate security events. It is widely used for log management on Linux-based systems and is available in various distributions.

 

Installation

You can obtain detailed version information for Unix with the following command:

Bash$ : cat /etc/release

 

1- Check the status of the rsyslog service on the system with the following command:

 Bash$ : svcs rsyslog

 

From the screen output, we understand that the service needs to be configured. If this output is present on your system, you can skip this step.

If you receive the output "svcs: Pattern 'rsyslog' doesn't match any instances," it means you need to install the rsyslog package. To install it, you can use the following commands:

  • Bash$ : pkg update
  • Bash$ : pkg install rsyslog

2- Check the status of the auditd service on the system with the following commands:

Bash$ : svcs auditd

From the screen output, if you see that the service is installed and active, you can skip this step.

If you receive the output "svcs: Pattern 'auditd' doesn't match any instances," it means you need to install the auditd package. To install it, you can use the following commands:

  • Bash$ : pkg update
  • Bash$ : pkg install auditd

After the installation is complete, make sure the service is active (state: online) by checking 'svcs auditd.'

 

3- Create a configuration file under the rsyslog.d directory to send logs to logsign with the following command:

Bash$ :  nano /etc/rsyslog.d/logsign.conf

After creating the file using an editor like nano, vi, vim, paste the following lines into the created file and save it.

######### Logsign

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1 # infinite retries if host is down

#### Log Forwarding Settings

audit.* @10.10.0.100:514

 

Note: Don't forget to update the IP address (audit.* @10.10.0.100:514) above with the Logsign IP address. In the configuration above, forwarding to Logsign with IP address 10.10.0.100 is done on UDP port 514. Make sure to configure firewall access accordingly.

 

Save with CTRL + O and exit the file with CTRL + X.

4- Disable the default Unix logging agent and select the rsyslog agent as the default. Execute the following commands in order:

Bash$ : svcadm disable svc:/system/system-log:default

Bash$ : svcadm enable svc:/system/system-log:rsyslog

Bash$ : svcadm refresh svc:/system/system-log:rsyslog

 

5- To configure the Auditd service and specify the classes you want to audit, update the audit flags based on the conditions you want to monitor (the situations for which you want to receive logs). First, run the following command:

Bash$ : auditconfig -setplugin audit_syslog \
active p_flags=all

The table below contains minimum, recommended, optional, and custom audit flags that you can update based on the conditions you want to monitor (receive logs) in the configuration.

Audit flags are keywords you can use in the configuration to specify the conditions you want to monitor in the Auditd service on a Unix system.

The meanings of the audit flags described in the table below are explained in the Audit Flags Table.

 

Recommended audit policy creating command line:
Bash$ : auditconfig -setflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc

Bash$ : auditconfig -setnaflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc

 

Minimum audit policy creating command line:
Bash$ : auditconfig -setflags ex,lo

Bash$ : auditconfig -setnaflags ex,lo

 

All (optional) audit policy creating command line:
Bash$ : auditconfig -setflags all

Bash$ : auditconfig -setnaflags all

Note: Enabling all audit policies can generate a high volume of EPS (Events Per Second).

 

Audit Flags Table

Short Name  Long Name  Short Description 
all all All classes (meta-class) 
no no_class Null value for turning off event preselection
na non_attrib Nonattributable events 
fr file_read Read of data, open for reading 
fw file_write Write of data, open for writing 
fa file_attr_acc Access of object attributes: statpathconf
fm file_attr_mod Change of object attributes: chownflock
fc file_creation Creation of object 
fd file_deletion Deletion of object 
cl file_close close system call
ap application Application-defined event 
ad administrative Administrative actions (old administrative meta-class) 
am administrative Administrative actions (meta-class) 
ss system state Change system state 
as system-wide administration System-wide administration 
ua user administration User administration 
aa audit administration Audit utilization 
ps process start Process start and process stop 
pm process modify Process modify 
pc process Process (meta-class) 
ex exec Program execution 
io ioctl ioctl system call
ip ipc System V IPC operations
lo login_logout Login and logout events 
nt network Network events: bindconnectaccept
ot other Miscellaneous 

 

For more information, please see.

Let's proceed with the recommended audit policy in this article. Run the following commands:

Bash$ : auditconfig -setflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc
Bash$ : auditconfig -setnaflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc

 

6- Use the following command to update the configuration of the Auditd service:

Bash$ : audit -s

 

7- The processes are completed. If you want to test the setup, you should restart the current session, i.e., exit to terminate the session, and then open an SSH session or log in again.

Bash$ : exit

 

The process is complete.

 

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.