6.10 Configuring Linux or UNIX Monitoring

Change Guardian monitors the following in Linux and UNIX environments:

  • Configuration files

  • Local and exported file systems

  • File integrity

  • Groups

  • Mounts

  • Processes and daemons

  • CRON jobs

  • Users

This section provides the following information:

6.10.1 Implementation Checklist

Complete the following tasks to start monitoring Linux and UNIX events:

6.10.2 Prerequisites

Ensure that you have completed the following:

Configuring Auditing in UNIX or Linux

You must enable the auditing system of your UNIX or LINUX operating systems to allow Change Guardian to start monitoring.

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

NOTE:Ensure that you have the root user privilege to complete these tasks.

Configuring a UNIX Auditing Subsystem

This section provides information about configuring auditing on UNIX computers:

Configuring the AIX Audit Subsystem

Auditing subsystem stores files in the /etc/security/audit folder. However, in AIX computers, streaming all events might consume too much memory or processor time and enable only the minimum required auditing.

You can enable AIX audit subsystem either in STREAM or BIN mode.

To configure AIX audit subsystem:

  1. Ensure that the /etc/security/audit/config file includes the following lines:

    bin:
         trail = /audit/trail
         bin1 = /audit/bin1
         bin2 = /audit/bin2
         binsize = 10240
      cmds = /etc/securitsy/audit/bincmds
    stream:
      cmds = /etc/security/audit/streamcmds
    classes:
         general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Fchdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,FILE_Symlink,USER_Exit,PROC_Create,PROC_Delete,FILE_Fchmod,FS_Rmdir,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,USER_Remove,USER_Create,USER_Chpass,USER_Change,FS_Mount,FS_Umount,FILE_Unlinkat,FILE_Symlinkat
         Kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,PROC_LPExecute,PROC_Adjtime,PROC_Kill
         files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,FILE_Dupfd,FILE_Chmod,FILE_Chown,FILE_Utimes,FILE_Truncate,FILE_Mknod,FILE_Symlink,FILE_Unlinkat,FILE_Fchownat,FILE_Linkat,FILE_Fchown,FILE_Symlinkat,FILE_Openxat,FILE_Mknodat,FILE_Renameat,FILE_Fchownat,FILE_Fchmod,FILE_Fchown,FILE_Fchmodat
         cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
    users:
         root = general,kernel,files,cron
         default = general,kernel,files,cron
    role:
  2. (Conditional) To enable STREAM mode, perform the following steps:

    1. Add the following to /etc/security/audit/config file:

      start
           binmode = off
           streammode = on
      1. Add the following line to the/etc/security/audit/streamcmds file:

        /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&
  3. (Conditional) To enable BIN mode, perform the following steps:

    1. Disable stream mode and enable bin mode in the /etc/security/audit/config file

    2. Add the following line to/etc/security/audit/bincmds file:

      /usr/sbin/auditcat $bin | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail
    3. Add the following line to/etc/security/audit/streamcmds file:

      /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&
  4. Ensure that the /etc/security/audit/events file contains the following:

    • FS_Mount

    • FILE_Unlinkat

    • CRON_Finish

    • FILE_Linkat

    • CRON_JobRemove

    • PROC_Kill

    • PROC_Execute

    • FILE_Unlink

    • FILE_Rename

    • FILE_Fchown

    • FILE_Owner

    • USER_Chpass

    • FILE_Symlinkat

    • USER_Change

    • FILE_Symlink

    • PROC_LPExecute

    • FILE_Open

    • FILE_Mknodat

    • FILE_Dupfd

    • FILE_Chmod

    • FILE_Renameat

    • USER_Create

    • GROUP_Create

    • FS_Chdir

    • FS_Umount

    • FILE_Chown

    • FILE_Fchownat

    • GROUP_Change

    • PROC_Create

    • USER_Remove

    • FILE_Fchmod

    • PROC_Adjtime

    • CRON_JobAdd

    • FILE_Utimes

    • PROC_Delete

    • FILE_Openxat

    • GROUP_Remove

    • FILE_Fchmodat

    • FILE_Mode

    • PROC_Settimer

    • FILE_Mknod

    • CRON_Start

    • FILE_Link

  5. Restart the audit subsystem.

  6. Restart detectd service from the given location:

    /usr/netiq/pssetup/./detectd.rc restart

Configuring the HP-UX Audit Subsystem

The auditing subsystem on HP computers stores files in the /etc/rc.config.d directory. Ensure that the /etc/rc.config.d/auditing file includes the following lines:

AUDITING=1

PRI_AUDFILE=/.secure/etc/audfile1

PRI_SWITCH=1000

SEC_AUDFILE=/.secure/etc/audfile2

SEC_SWITCH=1000

AUDEVENT_ARGS1=" -P -F   -e admin -s exit -s kill -s vfsmount -s rename -s unlink -s creat -s symlink -s fchown -s execv -s stime -s link -s settimeofday -s mount -s clock_settime -s fchmod -s lchown -s umount2 -s chmod -s execve -s chown -s open -s umount -s fork -s mknod -s vfork -s chdir -s adjtime -s mkdir -s rmdir  "

AUDEVENT_ARGS2=" "
AUDEVENT_ARGS3=" "
AUDEVENT_ARGS4=" "
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
Configuring the Solaris Auditing Subsystem

To configure on Solaris 10:

  1. To ensure that the Basic Security Module restarts after reboot, run the following command from the /etc/security folder.

    ./bsmconv

  2. Ensure that the /etc/security/audit_control file contains the following lines:

    flags: ua,fm,pc,fw,fr,ad,as,fc,ps,fd,nf
    naflags: fm,pc,fw,fr,as,ad,fc,ps,fd,nf
    minfree:20
    dir:/var/audit

To configure on Solaris 11:

  1. Set the auditing flags as follows:

    auditconfig -setflags pm,ps,ua,as,fd,fc,fm,fw,fr

    auditconfig -setnaflags pm,ps,ua,as,fd,fc,fm,fw,fr

Configuring a Linux Auditing Subsystem

For RHEL and SUSE platforms, configure the audit daemon in the /etc/audit/auditd.conf file.

To configure:

  1. (Conditional) For RHEL, ensure that the auditd service is enabled:

    chkconfig auditd on

  2. (Conditional) For SUSE, perform the following steps:

    1. Check if the audit process is running:

      ps -ef | grep -i audit

    2. If the audit process is running in disabled mode, enable the process:

      /sbin/auditd -s enable.

    3. Ensure that the PID in the command output matches the PID of the enabled process:

      auditctl -e 1

NOTE:After you upgrade from Security Agent for UNIX 7.4 to 7.5, remove the system calls from the /etc/audit/audit.rules file that might have been added for Security Agent for UNIX 7.4.

For agents that are running on Linux platforms, additional audit configuration is performed dynamically as Change Guardian policies are enabled and disabled.

6.10.3 Categories of Change Guardian Policies for UNIX

Configuration Files: Policies about changing hostname resolution and process startup configuration

CRON: Policies to monitor accessing CRON job, and changing CROS task execution

Exported File System: Policies to monitor list of exported file system

File Integrity: Policies to monitor Security Agent for UNIX configuration and system message of the day

File System: Policies to monitor bash shell startup configuration

Groups: Policies to monitor inbuilt groups

Mount: Policies to monitor CD-ROM mounts

Process/Daemons: Policies to monitor system background processes, and execution of su and sudo commands

Users: Policies to monitor built-in users

For information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.