Change Guardian monitors the following in Linux and UNIX environments:
Configuration files
Local and exported file systems
File integrity
Groups
Mounts
Processes and daemons
CRON jobs
Users
This section provides the following information:
Complete the following tasks to start monitoring Linux and UNIX events:
|
Task |
See |
|---|---|
|
Complete the prerequisites |
|
|
Add a license key |
|
|
Configure Change Guardian for monitoring |
|
|
Triage events |
Ensure that you have completed the following:
You must enable the auditing system of your UNIX or LINUX operating systems to allow Change Guardian to start monitoring.
NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.
NOTE:Ensure that you have the root user privilege to complete these tasks.
This section provides information about configuring auditing on UNIX computers:
Auditing subsystem stores files in the /etc/security/audit folder. However, in AIX computers, streaming all events might consume too much memory or processor time and enable only the minimum required auditing.
You can enable AIX audit subsystem either in STREAM or BIN mode.
To configure AIX audit subsystem:
Ensure that the /etc/security/audit/config file includes the following lines:
start:
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Fchdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,FILE_Symlink,USER_Exit,PROC_Create,PROC_Delete,FILE_Fchmod,FS_Rmdir,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,USER_Remove,USER_Create,USER_Chpass,USER_Change,FS_Mount,FS_Umount,FILE_Unlinkat,FILE_Symlinkat
Kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,PROC_LPExecute,PROC_Adjtime,PROC_Kill
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,FILE_Dupfd,FILE_Chmod,FILE_Chown,FILE_Utimes,FILE_Truncate,FILE_Mknod,FILE_Symlink,FILE_Unlinkat,FILE_Fchownat,FILE_Linkat,FILE_Fchown,FILE_Symlinkat,FILE_Openxat,FILE_Mknodat,FILE_Renameat,FILE_Fchownat,FILE_Fchmod,FILE_Fchown,FILE_Fchmodat
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
users:
root = general,Kernel,files,cron
default = general,Kernel,files,cron
role:(Conditional) To enable STREAM mode, perform the following steps:
Add the following to /etc/security/audit/config file:
start:
binmode = off
streammode = on
Add the following line to the/etc/security/audit/streamcmds file:
/usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&
(Conditional) To enable BIN mode, perform the following steps:
Disable stream mode and enable bin mode in the /etc/security/audit/config file
Add the following line to/etc/security/audit/bincmds file:
/usr/sbin/auditcat $bin | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail
Add the following line to/etc/security/audit/streamcmds file:
/usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&
Ensure that the /etc/security/audit/events file contains the following:
FS_Mount
FILE_Unlinkat
CRON_Finish
FILE_Linkat
CRON_JobRemove
PROC_Kill
PROC_Execute
FILE_Unlink
FILE_Rename
FILE_Fchown
FILE_Owner
USER_Chpass
FILE_Symlinkat
USER_Change
FILE_Symlink
PROC_LPExecute
FILE_Open
FILE_Mknodat
FILE_Dupfd
FILE_Chmod
FILE_Renameat
USER_Create
GROUP_Create
FS_Chdir
FS_Umount
FILE_Chown
FILE_Fchownat
GROUP_Change
PROC_Create
USER_Remove
FILE_Fchmod
PROC_Adjtime
CRON_JobAdd
FILE_Utimes
PROC_Delete
FILE_Openxat
GROUP_Remove
FILE_Fchmodat
FILE_Mode
PROC_Settimer
FILE_Mknod
CRON_Start
FILE_Link
Restart the audit subsystem.
Restart detectd service from the given location:
/usr/netiq/pssetup/./detectd.rc restart
The auditing subsystem on HP computers stores files in the /etc/rc.config.d directory. Ensure that the /etc/rc.config.d/auditing file includes the following lines:
AUDITING=1 PRI_AUDFILE=/.secure/etc/audfile1 PRI_SWITCH=1000 SEC_AUDFILE=/.secure/etc/audfile2 SEC_SWITCH=1000 AUDEVENT_ARGS1=" -P -F -e admin -s exit -s kill -s vfsmount -s rename -s unlink -s creat -s symlink -s fchown -s execv -s stime -s link -s settimeofday -s mount -s clock_settime -s fchmod -s lchown -s umount2 -s chmod -s execve -s chown -s open -s umount -s fork -s mknod -s vfork -s chdir -s adjtime -s mkdir -s rmdir " AUDEVENT_ARGS2=" " AUDEVENT_ARGS3=" " AUDEVENT_ARGS4=" " AUDOMON_ARGS=" -p 20 -t 1 -w 90"
To configure on Solaris 10:
To ensure that the Basic Security Module restarts after reboot, run the following command from the /etc/security folder.
./bsmconv
Ensure that the /etc/security/audit_control file contains the following lines:
flags: ua,fm,pc,fw,fr,ad,as,fc,ps,fd,nf naflags: fm,pc,fw,fr,as,ad,fc,ps,fd,nf minfree:20 dir:/var/audit
To configure on Solaris 11:
Set the auditing flags as follows:
auditconfig -setflags pm,ps,ua,as,fd,fc,fm,fw,fr
auditconfig -setnaflags pm,ps,ua,as,fd,fc,fm,fw,fr
For RHEL and SUSE platforms, configure the audit daemon in the /etc/audit/auditd.conf file.
To configure:
(Conditional) For RHEL, ensure that the auditd service is enabled:
chkconfig auditd on
(Conditional) For SUSE, perform the following steps:
Check if the audit process is running:
ps -ef | grep -i audit
If the audit process is running in disabled mode, enable the process:
/sbin/auditd -s enable.
Ensure that the PID in the command output matches the PID of the enabled process:
auditctl -e 1
To enable syscall auditing:
Comment out the line -a task,never from the below file:
/etc/audit/rules.d/audit.rules. Restart the audit service.
For agents that are running on Linux platforms, additional audit configuration is performed dynamically as Change Guardian policies are enabled and disabled.
NOTE:Convert the server to FIPS mode. Once you have converted the Agent to FIPS mode, you cannot revert the Agent to non-FIPS mode.
To convert an existing Agent in non-FIPS mode to FIPS mode:
Open the Agent configuration file /etc/vigilent.conf in edit mode.
Search for the parameter useFipsMode and set the value of this parameter to 1.
Restart the Agent and check if the Agent is running in FIPS mode.
Configuration Files: Policies about changing hostname resolution and process startup configuration
CRON: Policies to monitor accessing CRON job, and changing CROS task execution
Exported File System: Policies to monitor list of exported file system
File Integrity: Policies to monitor Change Guardian Agent for UNIX configuration and system message of the day
File System: Policies to monitor bash shell startup configuration
Groups: Policies to monitor inbuilt groups
Mount: Policies to monitor CD-ROM mounts
Process/Daemons: Policies to monitor system background processes, and execution of su and sudo commands
Users: Policies to monitor built-in users
For information about creating policies, see Creating Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Assigning Policies and Policy Sets.