As I
mentioned in several other blog articles, your Security Event Management infrastructure
is only as effective as your source auditing capabilities. If you are not
generating the necessary logs, containing useful information and in an
understandable and meaningful structure, no matter how correctly you deploy
your log management product, you end up failing.
That is
actually why I am spending this much time (and you also should) examining each
and every source system and write about them here in several articles. My first
articles were on the mere basics you should follow to see your logs on the log
management platform. In these new series of articles, I will mention about what
events, as a minimum, we should care and how to log them. Let’s get started!
In Linux
systems, what events are going to be logged is managed by the audit.rules file which is most of the
times located under /etc/audit/
folder. In the scheme below you can see the way the audit mechanism works in Linux.
The good
point concerning auditing features of Linux comparing to Windows Servers is
that you can pretty much audit everything and customize the logs according to
your needs. You can write audit rules for any process or command you want, you
can specifically audit the actions of a special user or audit only a specific
action (write, read, execute, append). The name tags that you can add to your
log messages may greatly simplify your job when you will be writing your correlation
rules on your SEM engine.
The way how
an audit rule is written is explained in auditctl
man page. Below I am giving a nice template which covers most of the general
situations. You should make sure that you cover all your critical processes by
adding audit rules for them.
An
important thing to know about using this file is to adapt it to your own
systems. One of the first things you should do is to use arch= parameter accordingly whether you are using a 32 bit system (b32) or a 64 bit system (b64). Some files and commands change
from older versions to newer ones, eg. faillog
file which keeps the failed log attempts in Red Hat Enterprise Linux 5 does not
exist anymore in later versions and you should configure for pam_tally process and files. Also,
please change the comments in rules (text after –k parameter) according to your
needs.
Finally
there are 2 parameters that need to be used with caution. Do use “e -2” parameter in the end of the file
to prevent tampering without logging and reboot. The second parameter “h -2” is
more likely to be used in military/defense environments, causes system to halt
if logging is crashed, so it should be used with caution.
# First rule - delete
all
-D
|
# Increase the buffers to survive stress
events.
|
# Make this bigger for busy systems
|
-b 8096
|
# Feel free to add below this line. See
auditctl man page
|
#Capture all failures to access on critical
elements
|
-a exit,always -F arch=b64 -S open -F dir=/etc
-F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F dir=/bin
-F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F
dir=/sbin -F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F
dir=/usr/bin -F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F
dir=/usr/sbin -F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F dir=/var
-F success=0 -k CriticalElementFailures
|
-a exit,always -F arch=b64 -S open -F
dir=/home -F success=0 -k CriticalElementFailures
|
#Capture all successful deletions on critical
elements
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/etc -k CriticalElementDeletions
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/bin -k CriticalElementDeletions
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/sbin -k CriticalElementDeletions
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/usr/bin -k CriticalElementDeletions
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/usr/sbin -k CriticalElementDeletions
|
-a exit,always -F arch=b64 -S unlinkat -F
success=1 -F dir=/var -k CriticalElementDeletions
|
#Capture all successful modification of owner
or permissions on critical elements
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/etc -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/bin -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/sbin -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/usr/bin -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/usr/sbin -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/var -F success=1 -k CriticalElementModifications
|
-a exit,always -F arch=b64 -S fchmodat -S
fchownat -F dir=/home -F success=1 -k CriticalElementModifications
|
#Capture all successful modifications of
content
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/etc -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/bin -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/sbin -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/usr/bin -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/usr/sbin -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/var -F success=1 -k
CriticalElementModifications
|
-a exit,always -F arch=b64 -S pwrite64 -S
write -S writev -S pwritev -F dir=/home -F success=1 -k CriticalElementModifications
|
#Capture all successful creations
|
-a exit,always -F arch=b64 -S creat -F
dir=/etc -F success=1 -k CriticalElementCreations
|
-a exit,always -F arch=b64 -S creat -F
dir=/bin -F success=1 -k CriticalElementCreations
|
-a exit,always
-F arch=b64 -S creat -F dir=/sbin -F success=1 -k CriticalElementCreations
|
-a exit,always
-F arch=b64 -S creat -F dir=/usr/bin -F success=1 -k CriticalElementCreations
|
-a exit,always
-F arch=b64 -S creat -F dir=/usr/sbin -F success=1 -k
CriticalElementCreations
|
-a exit,always -F arch=b64 -S creat -F
dir=/var -F success=1 -k CriticalElementCreations
|
#Capture all successful reads (only for
High-Impact Systems)
|
-a exit,always -F arch=b64 -S open -F dir=/etc
-F success=1 -k CriticalElementReads
|
-a exit,always -F arch=b64 -S open -F dir=/bin
-F success=1 -k CriticalElementReads
|
-a exit,always -F arch=b64 -S open -F
dir=/sbin -F success=1 -k CriticalElementReads
|
-a exit,always -F arch=b64 -S open -F
dir=/usr/bin -F success=1 -k CriticalElementReads
|
-a exit,always -F arch=b64 -S open -F
dir=/usr/sbin -F success=1 -k CriticalElementReads
|
-a exit,always -F arch=b64 -S open -F dir=/var
-F success=1 -k CriticalElementReads
|
#Monitor for changes to shadow file (use of
passwd command)
|
-w /usr/bin/passwd -p x
|
-w /etc/passwd -p ra
|
-w /etc/shadow -p ra
|
#Monitor for use of process ID change
(switching accounts) applications
|
-w /bin/su -p x -k PrivilegeEscalation
|
-w /usr/bin/sudo -p x -k PrivilegeEscalation
|
-w /etc/sudoers -p rw -k PrivilegeEscalation
|
#Monitor for use of tools to change group
identifiers
|
-w /usr/sbin/groupadd -p x -k
GroupModification
|
-w /usr/sbin/groupmod -p x -k
GroupModification
|
-w /usr/sbin/useradd -p x -k UserModification
|
-w /usr/sbin/usermod -p x -k UserModification
|
#Ensure audit log file modifications are
logged.
|
-a exit,always -F arch=b64 -S unlink -S
unlinkat -F dir=/var/log/audit -k AuditLogRemoval
|
# Monitor for use of audit management tools
|
-w /sbin/auditctl -p x -k AuditModification
|
-w /sbin/auditd -p x -k AuditModification
|
# Ensure critical apps are monitored. List will vary by mission.
|
-a exit,always -F arch=b64 -F path=/sbin/init
-k CriticalAppMonitoring
|
-a exit,always -F arch=b64 -F
path=/usr/bin/Xorg -k CriticalAppMonitoring
|
-a exit,always -F arch=b64 -F
path=/usr/sbin/sshd -k CriticalAppMonitoring
|
-a exit,always -F arch=b64 -F
path=/sbin/rsyslogd -k CriticalAppMonitoring
|
#
Ensure attribute changes are audited
|
-a exit,always -F arch=b64 -S chmod -S chown
-S fchmod -S fchown -S setuid -S setreuid -S getxattr -S setxattr -k
AttributeChanges
|
No comments:
Post a Comment