6.2 Linux or UNIX Monitoring

Change Guardian monitors the following in Linux and UNIX environments:

  • Configuration files

  • Local and exported file systems

  • File integrity

  • Groups

  • Mounts

  • Processes and daemons

  • CRON jobs

  • Users

This section provides the following information:

6.2.1 Implementation Checklist

Complete the following tasks to start monitoring Linux and UNIX events:

Task

See

Complete the prerequisites

Prerequisites

Configure Change Guardian for monitoring

Categories of Change Guardian Policies for UNIX

Assigning Policies and Policy Sets

6.2.2 Prerequisites

Ensure that you have completed the following:

Auditing in UNIX or Linux

You must enable the auditing system of your UNIX or LINUX operating systems to allow Change Guardian to start monitoring.

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

NOTE:Ensure that you have the root user privilege to complete these tasks.

Configuring a Linux Auditing Subsystem

For RHEL and SUSE platforms, configure the audit daemon in the /etc/audit/auditd.conf file.

To configure:

  1. (Conditional) For RHEL, ensure that the auditd service is enabled:

    chkconfig auditd on

  2. (Conditional) For SUSE, perform the following steps:

    1. Check if the audit process is running:

      ps -ef | grep -i audit

    2. If the audit process is running in disabled mode, enable the process:

      /sbin/auditd -s enable.

    3. Ensure that the PID in the command output matches the PID of the enabled process:

      auditctl -e 1

    4. To enable syscall auditing:

      Comment out the line -a task,never from the below file:

      /etc/audit/rules.d/audit.rules. Restart the audit service.

For agents that are running on Linux platforms, additional audit configuration is performed dynamically as Change Guardian policies are enabled and disabled.

Configuring AIX Audit Subsystem

Auditing subsystem stores files in the /etc/security/audit folder. However, in AIX computers, streaming all events might consume too much memory or processor time and enable only the minimum required auditing.

You can enable AIX audit subsystem either in STREAM or BIN mode.

To configure AIX audit subsystem:

  1. Ensure that the /etc/security/audit/config file includes the following lines:

    start:
    bin:
     trail = /audit/trail
     bin1 = /audit/bin1
     bin2 = /audit/bin2
     binsize = 10240
  cmds = /etc/security/audit/bincmds
stream:
  cmds = /etc/security/audit/streamcmds
classes:
     general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Fchdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,FILE_Symlink,USER_Exit,PROC_Create,PROC_Delete,FILE_Fchmod,FS_Rmdir,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,USER_Remove,USER_Create,USER_Chpass,USER_Change,FS_Mount,FS_Umount,FILE_Unlinkat,FILE_Symlinkat
     Kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,PROC_LPExecute,PROC_Adjtime,PROC_Kill
     files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,FILE_Dupfd,FILE_Chmod,FILE_Chown,FILE_Utimes,FILE_Truncate,FILE_Mknod,FILE_Symlink,FILE_Unlinkat,FILE_Fchownat,FILE_Linkat,FILE_Fchown,FILE_Symlinkat,FILE_Openxat,FILE_Mknodat,FILE_Renameat,FILE_Fchownat,FILE_Fchmod,FILE_Fchown,FILE_Fchmodat
     cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
users:
     root = general,Kernel,files,cron
     default = general,Kernel,files,cron
role:

  2. (Conditional) To enable STREAM mode, perform the following steps:

    1. Add the following to /etc/security/audit/config file:

      start:
           binmode = off
           streammode = on

      1. Add the following line to the/etc/security/audit/streamcmds file:

        /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&

  3. (Conditional) To enable BIN mode, perform the following steps:

    1. Disable stream mode and enable bin mode in the /etc/security/audit/config file

    2. Add the following line to/etc/security/audit/bincmds file:

      /usr/sbin/auditcat $bin | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail

    3. Add the following line to/etc/security/audit/streamcmds file:

      /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/trail&

  4. Ensure that the /etc/security/audit/events file contains the following:

    • FS_Mount

    • FILE_Unlinkat

    • CRON_Finish

    • FILE_Linkat

    • CRON_JobRemove

    • PROC_Kill

    • PROC_Execute

    • FILE_Unlink

    • FILE_Rename

    • FILE_Fchown

    • FILE_Owner

    • USER_Chpass

    • FILE_Symlinkat

    • USER_Change

    • FILE_Symlink

    • PROC_LPExecute

    • FILE_Open

    • FILE_Mknodat

    • FILE_Dupfd

    • FILE_Chmod

    • FILE_Renameat

    • USER_Create

    • GROUP_Create

    • FS_Chdir

    • FS_Umount

    • FILE_Chown

    • FILE_Fchownat

    • GROUP_Change

    • PROC_Create

    • USER_Remove

    • FILE_Fchmod

    • PROC_Adjtime

    • CRON_JobAdd

    • FILE_Utimes

    • PROC_Delete

    • FILE_Openxat

    • GROUP_Remove

    • FILE_Fchmodat

    • FILE_Mode

    • PROC_Settimer

    • FILE_Mknod

    • CRON_Start

    • FILE_Link

  5. Restart the audit subsystem.

  6. Restart detectd service from the given location:

    /usr/netiq/pssetup/./detectd.rc restart

6.2.3 Categories of Change Guardian Policies for UNIX

Configuration Files: Policies about changing hostname resolution and process startup configuration

CRON: Policies to monitor accessing CRON job, and changing CROS task execution

Exported File System: Policies to monitor list of exported file system

File Integrity: Policies to monitor Change Guardian Agent for UNIX configuration and system message of the day

File System: Policies to monitor bash shell startup configuration

Groups: Policies to monitor inbuilt groups

Mount: Policies to monitor CD-ROM mounts

Process/Daemons: Policies to monitor system background processes, and execution of su and sudo commands

Users: Policies to monitor built-in users

For information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Assigning Policies and Policy Sets.

To enable browsing for UNIX data sources while creating a policy, ensure that the machine where you install the Policy Editor must have a Change Guardian Agent for Windows. If you do not install an agent on the machine running Policy Editor, you must manually enter the data source paths while creating a policy.

To enter the data source paths:

  1. (Conditional) If your operating system is 64-bit, in the registry \HKLM\SOFTWARE\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled set the repositoryEnabled flag to 1.

  2. Restart the Change Guardian Agent for Windows.