Beginning
Qualification
Requirements
Used Services
Installation
Bash$ : hostnamectl
Bash$ : sudo yum -y install audit audit-libs audispd-plugins rsyslog
Bash$ : mkdir /var/log/Backup
Bash$ : cp -rf /etc/bashrc /var/log/Backup/
Bash$ : cp -rf /etc/rsyslog* /var/log/Backup/
Bash$ : cp -rf /etc/audit* /var/log/Backup/
Bash$ : nano /etc/bashrc
Special code:
distro=`cat /etc/redhat-release`function history_to_syslog
{
EVENTSOURCE_IP=`hostname -i | awk '{print $1}'`
IP=`who am i |awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip'}`
CMD=$(history 1)
CMD=$(echo $CMD |awk '{print substr($0,length($1)+2)}')
DIR=$(pwd)
USER=$(echo $USER)
if [ "$CMD" != "$OLD_CMD" ]; then
logger -p local6.debug -- SESSIONHISTORY = $$, USER = $USER, OS = $distro, EVENTSOURCEIP = $EVENTSOURCE_IP, PWD = $DIR, CMD = "${CMD}", IP = ${IP}
fi
OLD_CMD=$CMD
}
trap history_to_syslog DEBUG || EXIT
After saving with CTRL + O, we exit.
4- Rsyslog configuration is provided with the following special configuration so that logs are sent via syslog.
Instead of 10.10.11.70 ip, write the ip of your own siem, if you have a cluster model structure, write the logsign syslog ip.
If you are following this document for the LEF structure, follow the Lef structure rsyslog configuration title. If you are not using the LEF structure, skip the Lef structure rsyslog configuration title.
Bash$ : nano /etc/rsyslog.d/forward_to_logsign_siem.conf
Custom Configuration:
#########-Logsign Unified SecOps Platform------------------##local6.* /var/log/bash_history.log ## local e yazmak istersen açabilirsin.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#### Log Forwarding Settings
local5.*;local6.* @10.10.11.70:514
After saving with CTRL + O, we exit.
Lef Structure Rsyslog Configuration:
Update it with your lef collector ip instead of 10.10.11.70 ip.
#########-LEF - Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log ## local e yazmak istersen açabilirsin.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#### Log Forwarding Settings
local5.debug;local6.debug @10.10.11.70:1023
After saving with CTRL + O, we exit.
5-The following lines are added to audit.rules.
Bash$ : nano /etc/audit/rules.d/audit.rules
Custom configuration File audit.rules
## This file is automatically generated from /etc/audit/rules.d## This file is automatically generated from /etc/audit/rules.d
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
-w /etc/sudoers -p wa -k actions
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
-w /etc/ssh/sshd_config -k sshd
-w /etc/hostname -p r -k recon
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /etc/hosts -p wa -k network_modifications
After saving with CTRL + O, we exit.
We paste the copy of the configuration file into a different directory.
Bash$ : cp -rfv /etc/audit/rules.d/audit.rules /etc/audit/
6- Auditd log format is changed with the following commands.
Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart
7- We complete the process by running the command lines below.
Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart
Logsign integration: