Beginning
Qualification
Requirements
Used Services
Installation
Bash$ : hostnamectl
Bash$ : sudo zypper install audit rsyslog
Bash$ : mkdir /var/log/Backup
Bash$ : cp -rf /etc/bashrc /var/log/Backup/
Bash$ : cp -rf /etc/rsyslog* /var/log/Backup/
Bash$ : cp -rf /etc/audit* /var/log/Backup/
Bash$ : vi /etc/bash.bashrc
Custom Code Blog:
distro=`cat /etc/os-release | grep -oP 'PRETTY_NAME="\K[^"]+'`
function history_to_syslog
{
EVENTSOURCE_IP=`hostname -I | awk '{print $1}'`
IP=`who am i |awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip'}`
CMD=$(history 1)
CMD=$(echo $CMD | awk '{gsub(/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}/, ""); print substr($0,length($1)+2)}')
DIR=$(pwd)
USER=$(echo $USER)
if [ "$CMD" != "$OLD_CMD" ]; then
logger -p local6.debug -- SESSIONHISTORY = $$, USER = $USER, OS = $distro, EVENTSOURCEIP = $EVENTSOURCE_IP, PWD = $DIR, CMD = "${CMD}", IP = ${IP}
fi
OLD_CMD=$CMD
}
trap history_to_syslog DEBUG || EXIT
After saving with CTRL + O or ESC+:wq+ENTER, we exit.
4- Rsyslog configuration is provided with the following special configuration so that logs are sent via syslog.
Instead of 192.168.1.250 ip, write the ip of your own siem, if you have a cluster model structure, write the logsign syslog ip.
If you are following this document for the LEF structure, follow the Lef structure rsyslog configuration title. If you are not using the LEF structure, skip the Lef structure rsyslog configuration title.
Bash$ : vi /etc/rsyslog.d/forward_to_logsign_siem.conf
Generic Syslog Configuration:
#########-Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log
$ModLoad imfile
$WorkDirectory /var/spool/rsyslog
# audit log
$InputFileName /var/log/audit/audit.log
$InputFileTag audit_log:
$InputFileStateFile stat-audit-log
$InputFileSeverity info
$InputFileFacility local5
$InputRunFileMonitor
# check for new lines every 2 seconds
$InputFilePollInterval 2
$InputFilePersistStateInterval 100
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#### Log Forwarding Settings
local5.*;local6.* @192.168.1.250:514
After saving, we exit.
Lef Structure Rsyslog Configuration:
Update it with your lef collector ip instead of 192.168.1.250 ip.
#########-Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log
$ModLoad imfile
$WorkDirectory /var/spool/rsyslog
# audit log
$InputFileName /var/log/audit/audit.log
$InputFileTag audit_log:
$InputFileStateFile stat-audit-log
$InputFileSeverity info
$InputFileFacility local5
$InputRunFileMonitor
# check for new lines every 2 seconds
$InputFilePollInterval 2
$InputFilePersistStateInterval 100
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#### Log Forwarding Settings
local5.*;local6.* @192.168.1.250:1023
After saving, we exit.
5-The following lines are added to audit.rules. You can choose a custom configuration for auditd, update these configurations according to your preferences, and disable the ones you do not prefer. Click on the embedded link for detailed information about these rules.
Bash$ : vi /etc/audit/rules.d/audit.rules
Custom configuration File audit.rules
## This file is automatically generated from /etc/audit/rules.d
## This file is automatically generated from /etc/audit/rules.d
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
-w /etc/sudoers -p wa -k actions
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
-w /etc/ssh/sshd_config -k sshd
-w /etc/hostname -p r -k recon
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /etc/hosts -p wa -k network_modifications
After saving, we exit.
We paste the copy of the configuration file into a different directory.
Bash$ : cp -rfv /etc/audit/rules.d/audit.rules /etc/audit/
6- Auditd log format is changed with the following commands.
Bash$ : sed -i "s/RAW/ENRICHED/g" /etc/audit/auditd.conf
Bash$ : sed -i 's+args = LOG_INFO+args = LOG_DEBUG LOG_LOCAL5+g' /etc/audit/plugins.d/syslog.conf
Bash$ : sed -i 's+active = no+active = yes+g' /etc/audit/plugins.d/syslog.conf
7- We complete the process by running the command lines below.
Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart
Logsign integration:
If the log source is not Elasticsearch friendly, we integrate Logsign in two different ways as below.
For Auditd Logs
For Session History Logs