Advanced Linux - Suse Linux Logging Model - Manual Installation Method

Beginning 

In this document, advanced logging process for resources belonging to Linux operating systems will be explained. As a result of this process, you will be able to track the following actions in your Linux resource.
- Command Input (Session History)
- Username of the Person Running the Command (Session History)
- IP Address of the Person Running the Command (Session History)
- Path on Which the Person Running the Command Operates (Session History)
- Name of the Source Running the Command (Session History)
- Cron activities on the source (Auditd)
- Some user and system actions (Auditd)

Qualification

The auditd service in Linux resources performs logging processes for many services such as auth, syslog; however, finding rich content in the logs of these services and in many areas such as finding the target of the action is inadequate. Considering these deficiencies, these processes have been improved with scripts and configurations to meet the specified criteria above.

Requirements

- Firewall Access (If not using LEF, permission to access Logsign Unified SecOps Platform Syslog IP via UDP 514 port)
- A user with root privileges for installation on the Source where logs will be received

Used Services

- Rsyslog
- Auditd
- basrc ( /etc/bashrc - Session History)

Installation

Configurations in the manual method vary depending on the Linux distribution you are using. Configurations for the SUSE distribution will be explained in this document.
You can find out which Linux distribution you are using with the following process.
Bash$ : hostnamectl
1- Auditd and rsyslog services are installed or updated.
 Bash$ : sudo zypper install audit rsyslog
2- We back up the originals of the configuration files we currently keep to the Backup directory with the following command lines.
Bash$ : mkdir /var/log/Backup
Bash$ : cp -rf /etc/bashrc /var/log/Backup/
Bash$ : cp -rf /etc/rsyslog* /var/log/Backup/
Bash$ : cp -rf /etc/audit* /var/log/Backup/
3.png
3- Special code must be integrated into the bashrc file. The bashrc file is opened with the Nano or vi editor and the following special code is included in the last line.
Bash$ : vi /etc/bash.bashrc

 

 

Custom Code Blog:

 

distro=`cat /etc/os-release | grep -oP 'PRETTY_NAME="\K[^"]+'`
function history_to_syslog
{
EVENTSOURCE_IP=`hostname -I | awk '{print $1}'`
IP=`who am i |awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip'}`
CMD=$(history 1)
CMD=$(echo $CMD | awk '{gsub(/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}/, ""); print substr($0,length($1)+2)}')
DIR=$(pwd)
USER=$(echo $USER)
if [ "$CMD" != "$OLD_CMD" ]; then
logger -p local6.debug -- SESSIONHISTORY = $$, USER = $USER, OS = $distro, EVENTSOURCEIP = $EVENTSOURCE_IP, PWD = $DIR, CMD = "${CMD}", IP = ${IP}
fi
OLD_CMD=$CMD
}
trap history_to_syslog DEBUG || EXIT

After saving with CTRL + O or ESC+:wq+ENTER, we exit.

 

4- Rsyslog configuration is provided with the following special configuration so that logs are sent via syslog.

Instead of 192.168.1.250 ip, write the ip of your own siem, if you have a cluster model structure, write the logsign syslog ip.

If you are following this document for the LEF structure, follow the Lef structure rsyslog configuration title. If you are not using the LEF structure, skip the Lef structure rsyslog configuration title.

 

Bash$ : vi /etc/rsyslog.d/forward_to_logsign_siem.conf

Generic Syslog Configuration:

 

#########-Logsign Unified SecOps Platform------------------
##local6.* /var/log/bash_history.log 

$ModLoad imfile
$WorkDirectory /var/spool/rsyslog
# audit log
$InputFileName /var/log/audit/audit.log
$InputFileTag audit_log:
$InputFileStateFile stat-audit-log
$InputFileSeverity info
$InputFileFacility local5
$InputRunFileMonitor

# check for new lines every 2 seconds
$InputFilePollInterval 2
$InputFilePersistStateInterval 100

$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#### Log Forwarding Settings
local5.*;local6.* @192.168.1.250:514

After saving, we exit.

Lef Structure Rsyslog Configuration:

Update it with your lef collector ip instead of 192.168.1.250 ip.

 

#########-Logsign Unified SecOps Platform------------------

##local6.* /var/log/bash_history.log 

 

$ModLoad imfile

$WorkDirectory /var/spool/rsyslog

# audit log

$InputFileName /var/log/audit/audit.log

$InputFileTag audit_log:

$InputFileStateFile stat-audit-log

$InputFileSeverity info

$InputFileFacility local5

$InputRunFileMonitor

 

# check for new lines every 2 seconds

$InputFilePollInterval 2

$InputFilePersistStateInterval 100

 

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1 # infinite retries if host is down

 

#### Log Forwarding Settings

local5.*;local6.* @192.168.1.250:1023

After saving, we exit.

 

5-The following lines are added to audit.rules. You can choose a custom configuration for auditd, update these configurations according to your preferences, and disable the ones you do not prefer. Click on the embedded link for detailed information about these rules.

 

Bash$ : vi /etc/audit/rules.d/audit.rules

 

Custom configuration File audit.rules

 

## This file is automatically generated from /etc/audit/rules.d
## This file is automatically generated from /etc/audit/rules.d
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## Set failure mode to syslog
-f 1

-w /etc/sudoers -p wa -k actions
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
-w /etc/ssh/sshd_config -k sshd
-w /etc/hostname -p r -k recon
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /etc/hosts -p wa -k network_modifications

After saving, we exit.

We paste the copy of the configuration file into a different directory.

Bash$ : cp -rfv /etc/audit/rules.d/audit.rules /etc/audit/

8.png

 

6- Auditd log format is changed with the following commands.

Bash$ : sed -i "s/RAW/ENRICHED/g" /etc/audit/auditd.conf
Bash$ : sed -i 's+args = LOG_INFO+args = LOG_DEBUG LOG_LOCAL5+g' /etc/audit/plugins.d/syslog.conf
Bash$ : sed -i 's+active = no+active = yes+g' /etc/audit/plugins.d/syslog.conf

9.png

 

7- We complete the process by running the command lines below.

Bash$ : exec bash
Bash$ : sudo ln -s /run/systemd/journal/dev-log /dev/log
Bash$ : service auditd restart
Bash$ : service rsyslog restart

10.png

 

Logsign integration: 

If the log source is not Elasticsearch friendly, we integrate Logsign in two different ways as below.

For Auditd Logs

12.png

 

For Session History Logs

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.