No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 07

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the Audit Service for the Linux Operating System

Enabling the Audit Service for the Linux Operating System

This section describes how to set audit rules and perform audit-related operations on the Linux operating system. Operations in this section need to be performed on each server.

Context

  • Audit operations are performed on the operating system. After audit operations are performed, the system records all operations performed by operating system users in audit logs. Audit logs are written into audit.log, audit.log.1, audit.log.2, and audit.log.3 in sequence. Logs in audit.log are the latest, whereas those in audit.log.3 are the earliest.
  • The directory for storing audit logs is specified by the log_file parameter in the /etc/audit/auditd.conf file. The default directory is /var/log/audit/audit.log.
NOTE:
  • If the directory for saving audit logs needs to be changed, ensure that the new directory has 10 GB available space.
  • You must periodically back up audit logs in audit.log.N. The backup period depends on the generating speed of audit logs. You are advised to back up audit logs at least once a week.
  • After operating system log audit is enabled, executed commands and parameters are logged, probably including sensitive data. For security purposes, save log files properly.

Procedure

  1. Log in to the server as the ossuser user.
    NOTE:

    In the two-node cluster scenario, this operation must be performed on both the active and standby servers.

  2. Run the following command to switch to the root user.

    > su - root

  3. Check whether the Audit Framework and related libs files are installed.

    # rpm -qa|grep audit

    • If the command output contains files similar to audit-1.8-0.30.1, Audit Framework has been installed in the operating system.
    • If the command output contains files similar to audit-libs-32bit-1.8-0.30.1 and audit-libs-1.8-0.30.1, the required libs files have been installed in the operating system.
    NOTE:

    If the Audit Framework and related libs files are not installed in the operating system, contact Huawei technical support.

  4. Set parameters in the /etc/sysconfig/auditd file.

    # vi /etc/sysconfig/auditd

    • Set AUDITD_LANG to en_US.
    • Set AUDITD_DISABLE_CONTEXTS to no.
      AUDITD_LANG="en_US" 
      AUDITD_DISABLE_CONTEXTS="no"
  5. Press Esc and run the :wq command to save the settings and exit the editing mode.
  6. Set parameters in the /etc/audit/auditd.conf file.

    # vi /etc/audit/auditd.conf

    • Set max_log_file to 1000.
    • Set space_left to 1000.
    • Set admin_space_left to 100.
    • Set admin_space_left_action to SYSLOG.
    • Set max_log_file_action to rotate.
      max_log_file = 1000 
      space_left = 1000 
      admin_space_left = 100 
      admin_space_left_action = SYSLOG 
      max_log_file_action = rotate
    NOTE:

    You can run the man auditd.conf command to query the description of each parameter in the auditd.conf file.

  7. Press Esc and run the :wq command to save the settings and exit the editing mode.
  8. Check the login, sshd, crond, and atd files under the /etc/pam.d directory and ensure that each file contains the following content. If no, you need to manually add the content to the files.

    # vi /etc/pam.d/File name

    session    required    pam_loginuid.so 
    session    include    common-session
  9. Press Esc and run the :wq command to save the settings and exit the editing mode.
  10. Update the configuration file /boot/grub/menu.lst.

    Add the audit=1 rule at the end of the line beginning with kernel, and separate the line with the rule using a space character.

    # vi /boot/grub/menu.lst

    password --md5 $1$cvv5E$RzImhAv6QIa/57cbAyxAS0 
    # Modified by YaST2. Last modification on Mon May 11 19:09:47 CST 2015 
    default 0 
    timeout 8 
    ##YaST - generic_mbr 
    gfxmenu (hd0,1)/boot/message 
    ##YaST - activate 
     
    ###Don't change this comment - YaST2 identifier: Original name: linux### 
    title SUSE Linux Enterprise Server 11 SP3 - 4.4.59–92.24 
        root (hd0,1) 
        kernel /boot/vmlinuz-4.4.59–92.24-default root=/dev/disk/by-id/scsi-35000        c500712b918b-part2 System resume=/dev/sda1 splash=silent crashkernel=256M-:128M         showoptsode=dvd  console=ttyS0,115200 console=tty0 audit=1 
        initrd /boot/initrd-4.4.59–92.24-default 
     
    ###Don't change this comment - YaST2 identifier: Original name: failsafe### 
    title Failsafe -- SUSE Linux Enterprise Server 11 SP3 - 4.4.59–92.24 
        root (hd0,1) 
        kernel /boot/vmlinuz-4.4.59–92.24-default root=/dev/disk/by-id/scsi-35000        c500712b918b-part2 showopts ide=nodma apm=off noresume edd=off powersaved=off no        hz=off highres=off processor.max_cstate=1 nomodeset x11failsafe vga=0x314 audit=1 
        initrd /boot/initrd-4.4.59–92.24-default 
     
     
    ###Don't change this comment - YaST2 identifier: Original name: linux### 
    title SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 (default) 
        root (hd0,1) 
        kernel /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/scsi-35000c500        712b918b-part2 System resume=/dev/sda1 splash=silent crashkernel=256M-:128M show        optsode=dvd  showopts vga=0x314 audit=1 
        initrd /boot/initrd-3.0.76-0.11-default 
     
     
    ###Don't change this comment - YaST2 identifier: Original name: failsafe### 
    title Failsafe -- SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 
        root (hd0,1) 
        kernel /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/scsi-35000c500        712b918b-part2 showopts ide=nodma apm=off noresume edd=off powersaved=off nohz=o        ff highres=off processor.max_cstate=1 nomodeset x11failsafe vga=0x314 audit=1 
        initrd /boot/initrd-3.0.76-0.11-default
  11. Press Esc and run the :wq command to save the settings and exit the editing mode.
  12. Update the configuration file /etc/audit/audit.rules.

    Copy the following information to the system and execute it. After the execution is complete, the /etc/audit/audit.rules configuration file is updated accordingly.

    echo "# # This file contains the auditctl rules that are loaded 
    # whenever the audit daemon is started via the initscripts. 
    # The rules are simply the parameters that would be passed 
    # to auditctl. 
     
    # First rule - delete all 
    -D 
     
    # Increase the buffers to survive stress events. 
    # Make this bigger for busy systems 
    -b 25600 
     
    #  Enable the audit subsystem. 
    -e 1 
     
    # Set the failure flag to use when the kernel needs to handle critical errors.  
    # Possible values are 0 (silent), 1 (printk, print a failure message),  
    # and 2 (panic, halt the system). 
    -f 1 
     
    # Feel free to add below this line. See auditctl man page 
     
    # Set watches on the at and cron configuration and the scheduled jobs  
    # and assign labels to these events. 
    -w /var/spool/at -k Cron_cfg 
    -w /etc/at.allow -k Cron_cfg 
    -w /etc/at.deny -k Cron_cfg 
    -w /etc/cron.allow -p wa -k Cron_cfg 
    -w /etc/cron.deny -p wa -k Cron_cfg 
    -w /etc/cron.d/ -p wa -k Cron_cfg 
    -w /etc/cron.daily/ -p wa -k Cron_cfg 
    -w /etc/cron.hourly/ -p wa -k Cron_cfg 
    -w /etc/cron.monthly/ -p wa -k Cron_cfg 
    -w /etc/cron.weekly/ -p wa -k Cron_cfg 
    -w /etc/crontab -p wa -k Cron_cfg 
    -w /var/spool/cron/root -k Cron_cfg 
     
    # Set watches on the user, group, password, and login databases and logs 
    # and set labels to better identify any login-related events,  
    # such as failed login attempts. 
    -w /etc/group -p wa -k LoginFile_access 
    -w /etc/passwd -p wa -k LoginFile_access 
    -w /etc/shadow -k LoginFile_access 
    -w /etc/login.defs -p wa -k LoginFile_access 
    -w /etc/securetty -k LoginFile_access 
    -w /var/log/faillog -k LoginFile_access 
    -w /var/log/lastlog -k LoginFile_access 
     
    # Set a watch and a label on the static hostname configuration in /etc/hosts. 
    # Track changes to the system configuration directory, /etc/sysconfig. Enable 
    # per-file watches if you are interested in file events. Set watches and labels 
    # for changes to the boot configuration in /etc/inittab and the /etc/init.d 
    # directory. Enable per-file watches if you are interested in file events. Set 
    # watches and labels for any changes to the linker configuration  
    # in /etc/ld.so.conf. 
    # Set watches and a label for /etc/localtime. Set watches and labels for the 
    # kernel configuration files /etc/sysctl.conf, /etc/modprobe.d/, /etc/ 
    # modprobe.conf.local, and /etc/modprobe.conf. 
    -w /etc/hosts -p wa -k SysFile_mod 
    -w /etc/sysconfig/ -k SysDir_access 
    -w /etc/inittab -p wa -k SysFile_mod 
    -w /etc/init.d/ -k SysDir_access 
    -w /etc/init.d/auditd -p wa -k SysFile_mod 
    -w /etc/ld.so.conf -p wa -k SysFile_mod 
    -w /etc/localtime -p wa -k SysFile_mod 
    -w /etc/sysctl.conf -p wa -k SysFile_mod 
    -w /etc/modprobe.d/ -k SysDir_access 
    -w /etc/modprobe.conf.local -p wa -k SysFile_mod 
    -w /etc/modprobe.conf -p wa -k SysFile_mod 
    # Set watches on the PAM configuration directory.  
    # If you are interested in particular files below the directory level,  
    # add explicit watches to these files as well. 
    -w /etc/pam.d/ -k PamDir_access 
    # Set watches to the postfix configuration to log any write attempt or  
    # attribute change and use labels for better tracking in the logs. 
    -w /etc/aliases -p wa -k Aliases_cfg 
    -w /etc/postfix/ -p wa -k Postfix_cfg 
    # Set watches and labels on the ssh configuration files. 
    -w /etc/ssh/sshd_config -k SSH_cfg 
    # Perform an audit of the sethostname system call and set watches and labels  
    # on the system identification configuration in /etc/issue and /etc/issue.net. 
    -a exit,always -F arch=b64 -S sethostname -k SetHostName 
    -w /etc/issue -p wa -k IssueInf_mod 
    -w /etc/issue.net -p wa -k IssueInf_mod 
     
    -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change  
    -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change  
    -a always,exit -F arch=b64 -S clock_settime -k time-change  
    -a always,exit -F arch=b32 -S clock_settime -k time-change  
    -w /etc/localtime -p wa -k time-change  
     
    -w /etc/group -p wa -k identity  
    -w /etc/passwd -p wa -k identity  
    -w /etc/gshadow -p wa -k identity  
    -w /etc/shadow -p wa -k identity  
    -w /etc/security/opasswd -p wa -k identity 
     
    -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale  
    -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale  
    -w /etc/issue -p wa -k system-locale  
    -w /etc/issue.net -p wa -k system-locale 
    -w /etc/hosts -p wa -k system-locale  
    -w /etc/sysconfig/network -p wa -k system-locale  
     
    -w /var/log/faillog -p wa -k logins  
    -w /var/log/lastlog -p wa -k logins  
    -w /var/log/tallylog -p wa -k logins 
    -w /var/run/utmp -p wa -k session  
    -w /var/log/wtmp -p wa -k session  
    -w /var/log/btmp -p wa -k session  
     
    -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/eject -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
     
     
    -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 
    -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr  
     
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access  
     
    -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts  
    -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts  
     
    -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete  
    -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete  
     
    -w /etc/sudoers -p wa -k scope  
    -w /etc/selinux/ -p wa -k MAC-policy 
    -w /var/log/sudo.log -p wa -k actions  
     
    -w /sbin/insmod -p x -k modules  
    -w /sbin/rmmod -p x -k modules  
    -w /sbin/modprobe -p x -k modules  
    -a always,exit  -F arch=b64 -S init_module -S delete_module -k modules 
     
    # Set a watch on the directory where the audit log is located. Trigger an 
    # event for any type of access attempt to this directory.  
    -w /var/log/audit/ -k AuditDir_access 
    -w /var/log/audit/audit.log -k AuditLog_access 
    # Set a watch on an audit configuration file. Log all write and attribute 
    # change attempts to this file. 
    -w /etc/audit/auditd.conf -p wa -k Audit_cfg 
    -w /etc/audit/audit.rules -p wa -k Audit_cfg 
    -w /etc/libaudit.conf -p wa -k Audit_cfg 
    -w /etc/sysconfig/auditd -p wa -k Audit_cfg 
     
    # Enable an audit context for system calls related to changing  
    # file ownership and permissions. 
    -a entry,always -F arch=b64 -S chmod -S fchmod -S chown -S fchown -S lchown -k FileAttr_mod 
    # Enable an audit context for system calls related to file content modification. 
    # This will affect the performance greatly. 
    #-a entry,always -F arch=b64 -S creat -S open -S truncate -S ftruncate -k File_opr 
    # Enable an audit context for any directory operation,  
    # like creating or removing a directory. 
    -a entry,always -F arch=b64 -S mkdir -S rmdir -k Dir_opr 
    # Enable an audit context for any linking operation, 
    # such as symlink,link,unlink,or rename. 
    -a entry,always -F arch=b64 -S unlink -S rename -S link -S symlink -k Link_opr 
    # Enable an audit context for any operation related to  
    # extended file system attributes. 
    -a entry,always -F arch=b64 -S setxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S lsetxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S fsetxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S removexattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S lremovexattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S fremovexattr -k FS_Attr_opr 
    # Enable an audit context for the mknod system call,  
    # which creates special (device) files. 
    -a entry,always -F arch=b64 -S mknod -k MakeNode 
    # Enable an audit context for any mount or umount operation. 
    -a entry,always -F arch=b64 -S mount -S umount2 -k Mount_opr 
    # Track task creation. 
    -a entry,always -F arch=b64 -S clone -S fork -S vfork -k Task_create 
    # Add an audit context to the umask system call. 
    -a entry,always -F arch=b64 -S umask -k Umask 
    # setuid Operation 
    -a entry,always -F arch=b64 -S setuid -k Setuid_Opr 
    # setgid Operation 
    -a entry,always -F arch=b64 -S setgid -k Setgid_Opr 
    # Track attempts to change the system time. adjtimex can be used to  
    # skew the time. settimeofday sets the absolute time. 
    -a entry,always -F arch=b64 -S adjtimex -S settimeofday -k Time_mod 
    # execute program 
    -a entry,always -F arch=b64 -S execve -k Execute_program 
    # kill operation 
    -a entry,always -F arch=b64 -S kill -k Kill_opr 
    # reboot or enable/disable Ctrl-Alt -Del 
    -a entry,always -F arch=b64 -S reboot -k Reboot " > /etc/audit/audit.rules
  13. Run the following command to load audit rules:

    # auditctl -D

    No rules

    # dos2unix /etc/audit/audit.rules

    dos2unix: converting file /etc/audit/audit.rules to UNIX format ...

    # auditctl -R /etc/audit/audit.rules

    The following information is displayed:

    No rules 
    AUDIT_STATUS: enabled=0 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=0 
    AUDIT_STATUS: enabled=1 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=0 
    AUDIT_STATUS: enabled=1 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=1
  14. Restart the audit service.

    # rcauditd restart

    Shutting down auditd                                                 done 
    Starting auditd                                                      done
Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044373

Views: 24941

Downloads: 74

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next