Advanced Linux - Red Hat Logging Model - Manual Installation Method

Beginning 

In this document, advanced logging process for resources belonging to Linux operating systems will be explained. As a result of this process, you will be able to track the following actions in your Linux resource.
- Command Input (Session History)
- Username of the Person Running the Command (Session History)
- IP Address of the Person Running the Command (Session History)
- Path on Which the Person Running the Command Operates (Session History)
- Name of the Source Running the Command (Session History)
- Cron activities on the source (Auditd)
- Some user and system actions (Auditd)

Qualification

The auditd service in Linux resources performs logging processes for many services such as auth, syslog; however, finding rich content in the logs of these services and in many areas such as finding the target of the action is inadequate. Considering these deficiencies, these processes have been improved with scripts and configurations to meet the specified criteria above.

Requirements

- Firewall Access (Permission to access Logsign Unified SecOps Platform Syslog IP via UDP 514 port)
- A user with root privileges for installation on the Source where logs will be received

Used Services

- Rsyslog
- Auditd
- basrc ( /etc/bashrc - Session History)

Installation

Configurations in the manual method vary depending on the Linux distribution you are using. Configurations for the RedHat distribution will be explained in this document.
You can find out which Linux distribution you are using with the following process.
Bash$ : hostnamectl
1.png
1- Auditd and rsyslog services are installed or updated.
 Bash$ : sudo yum -y install audit audit-libs audispd-plugins rsyslog
2.png
2- We back up the originals of the configuration files we currently keep to the Backup directory with the following command lines.
Bash$ : mkdir /var/log/Backup
Bash$ : cp -rf /etc/bashrc /var/log/Backup/
Bash$ : cp -rf /etc/rsyslog* /var/log/Backup/
Bash$ : cp -rf /etc/audit* /var/log/Backup/
3.png
3- Special code must be integrated into the bashrc file. The bashrc file is opened with the Nano editor and the following special code is included in the last line.
Bash$ : nano /etc/bashrc

 

Special code:

distro=`cat /etc/redhat-release`
function history_to_syslog
{
EVENTSOURCE_IP=`hostname -i | awk '{print $1}'`
IP=`who am i |awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip'}`
CMD=$(history 1)
CMD=$(echo $CMD |awk '{print substr($0,length($1)+2)}')
DIR=$(pwd)
USER=$(echo $USER)
if [ "$CMD" != "$OLD_CMD" ]; then
logger -p local6.debug -- SESSIONHISTORY = $$, USER = $USER, OS = $distro, EVENTSOURCEIP = $EVENTSOURCE_IP, PWD = $DIR, CMD = "${CMD}", IP = ${IP}
fi
OLD_CMD=$CMD
}
trap history_to_syslog DEBUG || EXIT
4.png

After saving with CTRL + O, we exit.

 

4- Rsyslog configuration is provided with the following special configuration so that logs are sent via syslog.

Instead of 10.10.11.70 ip, write the ip of your own siem, if you have a cluster model structure, write the logsign syslog ip.

If you are following this document for the LEF structure, follow the Lef structure rsyslog configuration title. If you are not using the LEF structure, skip the Lef structure rsyslog configuration title.

 

Bash$ : nano /etc/rsyslog.d/forward_to_logsign_siem.conf

Custom Configuration:

#########-Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log ## local e yazmak istersen açabilirsin.

$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#### Log Forwarding Settings
local5.*;local6.* @10.10.11.70:514
5.png

After saving with CTRL + O, we exit.

 

Lef Structure Rsyslog Configuration:

Update it with your lef collector ip instead of 10.10.11.70 ip.

 

#########-LEF - Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log ## local e yazmak istersen açabilirsin.

$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#### Log Forwarding Settings
local5.debug;local6.debug @10.10.11.70:1023
6.png

After saving with CTRL + O, we exit.

 

5-The following lines are added to audit.rules.

 

Bash$ : nano /etc/audit/rules.d/audit.rules

 Custom configuration File audit.rules

## This file is automatically generated from /etc/audit/rules.d
## This file is automatically generated from /etc/audit/rules.d
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## Set failure mode to syslog
-f 1

-w /etc/sudoers -p wa -k actions
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
-w /etc/ssh/sshd_config -k sshd
-w /etc/hostname -p r -k recon
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /etc/hosts -p wa -k network_modifications
7.png

After saving with CTRL + O, we exit.

 

We paste the copy of the configuration file into a different directory.

Bash$ : cp -rfv /etc/audit/rules.d/audit.rules /etc/audit/

8.png

 

 

 

6- Auditd log format is changed with the following commands.

Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart

9.png

 

 

7- We complete the process by running the command lines below.

Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart

10.png

 

 

 

 

Logsign integration: 

 

12.png

 

12.png

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.