Introduction
This document will describe the audit policy definition for log sources related to Unix operating systems and the process of sending logs to logsign.
Used Services
- Rsyslog
- Auditd
Requirements
- Firewall Access (Permission to access Logsign Syslog IP on UDP 514 or TCP 515 ports)
- A user with root privileges for installation on the source where logs will be collected.
Attribute
Auditd
Auditd (Audit Daemon) is a tool used to perform security auditing and generate event logs on Unix and Unix-like operating systems. The abbreviation "auditd" stands for "audit daemon," and it manages the security auditing subsystem of Linux. Auditd tracks, monitors, and logs events that occur on the system.
The main functions of Auditd are as follows:
Security Auditing: Auditd monitors and tracks various events on a Linux system. For example, it can audit file and directory changes, user sessions, network traffic, and more.
Logging: Auditd records the events it monitors in a log file. This log file can be used by system administrators or security experts to review and analyze events.
Monitoring and Alerts: Auditd can generate alerts when specific events or actions occur. This can help identify potential security breaches or abnormal activities.
Monitoring Rules: Rules can be defined to determine what Auditd will audit and log. These rules can be customized by system administrators.
Investigation and Analysis: Auditd logs can be used to investigate security events and detect anomalies in the system, providing better protection against security threats.
Auditd is crucial, especially in large-scale organizations and systems that handle sensitive data, to meet security requirements. It can be used to ensure compliance with security policies and detect potential threats. However, configuring and managing Auditd can be complex, so the assistance of an experienced system administrator may be required.
Rsyslog
Rsyslog (Red Hat System Logging Protocol) is a logging system used to collect, route, and process event logs on Unix and Unix-like operating systems. Rsyslog provides a flexible and powerful solution for log collection and processing and is often used as the default logging system in Linux distributions.
Some key features of Rsyslog include:
Modular Architecture: Rsyslog has a modular architecture, allowing it to accept log data from various sources and route it to different destinations. This enables easy configuration of different logging sources and targets.
Powerful Filtering: Rsyslog can filter log data based on specific criteria, allowing you to capture only certain types of log entries or monitor specific levels of errors.
Remote Logging: Rsyslog can transmit log data to remote servers. This is useful for collecting log data on remote logging servers and creating a centralized logging infrastructure.
Robust Routing: Rsyslog can route log data to different destinations, allowing logs to be directed to different files, databases, or even email notifications.
TCP/UDP Support: Rsyslog can transmit log data over both TCP and UDP protocols, providing flexibility in log transmission.
Customizability: Rsyslog can be easily customized through configuration files to meet various requirements.
Rsyslog is commonly used by system administrators and security experts to monitor system performance, diagnose issues, and investigate security events. It is widely used for log management on Linux-based systems and is available in various distributions.
Installation
You can obtain detailed version information for Unix with the following command:
Bash$ : cat /etc/release
1- Check the status of the rsyslog service on the system with the following command:
Bash$ : svcs rsyslog
From the screen output, we understand that the service needs to be configured. If this output is present on your system, you can skip this step.
If you receive the output "svcs: Pattern 'rsyslog' doesn't match any instances," it means you need to install the rsyslog package. To install it, you can use the following commands:
- Bash$ : pkg update
- Bash$ : pkg install rsyslog
2- Check the status of the auditd service on the system with the following commands:
Bash$ : svcs auditd
From the screen output, if you see that the service is installed and active, you can skip this step.
If you receive the output "svcs: Pattern 'auditd' doesn't match any instances," it means you need to install the auditd package. To install it, you can use the following commands:
- Bash$ : pkg update
- Bash$ : pkg install auditd
After the installation is complete, make sure the service is active (state: online) by checking 'svcs auditd.'
3- Create a configuration file under the rsyslog.d directory to send logs to logsign with the following command:
Bash$ : nano /etc/rsyslog.d/logsign.conf
After creating the file using an editor like nano, vi, vim, paste the following lines into the created file and save it.
######### Logsign
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#### Log Forwarding Settings
audit.* @10.10.0.100:514
Note: Don't forget to update the IP address (audit.* @10.10.0.100:514) above with the Logsign IP address. In the configuration above, forwarding to Logsign with IP address 10.10.0.100 is done on UDP port 514. Make sure to configure firewall access accordingly.
Save with CTRL + O and exit the file with CTRL + X.
4- Disable the default Unix logging agent and select the rsyslog agent as the default. Execute the following commands in order:
Bash$ : svcadm disable svc:/system/system-log:default
Bash$ : svcadm enable svc:/system/system-log:rsyslog
Bash$ : svcadm refresh svc:/system/system-log:rsyslog
5- To configure the Auditd service and specify the classes you want to audit, update the audit flags based on the conditions you want to monitor (the situations for which you want to receive logs). First, run the following command:
Bash$ : auditconfig -setplugin audit_syslog \
active p_flags=all
The table below contains minimum, recommended, optional, and custom audit flags that you can update based on the conditions you want to monitor (receive logs) in the configuration.
Audit flags are keywords you can use in the configuration to specify the conditions you want to monitor in the Auditd service on a Unix system.
The meanings of the audit flags described in the table below are explained in the Audit Flags Table.
Recommended audit policy creating command line: |
Bash$ : auditconfig -setflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc
|
Minimum audit policy creating command line: |
Bash$ : auditconfig -setflags ex,lo
|
All (optional) audit policy creating command line: |
Bash$ : auditconfig -setflags all
|
Note: Enabling all audit policies can generate a high volume of EPS (Events Per Second).
Audit Flags Table
For more information, please see.
Let's proceed with the recommended audit policy in this article. Run the following commands:
Bash$ : auditconfig -setflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc
Bash$ : auditconfig -setnaflags fw,fd,ad,am,ss,as,ua,aa,ps,fw,fd,ex,lo,nt,fw,fd,fm,fc
6- Use the following command to update the configuration of the Auditd service:
Bash$ : audit -s
7- The processes are completed. If you want to test the setup, you should restart the current session, i.e., exit to terminate the session, and then open an SSH session or log in again.
Bash$ : exit
The process is complete.