지금 지원 담당자와 채팅
지원 담당자와 채팅

InTrust 11.6.1 - Preparing for Auditing and Monitoring Linux

Linux Auditing and Monitoring Overview

The Linux Knowledge Pack expands the auditing and reporting capabilities of InTrust to SuSE Linux Enterprise Server, Red Hat Enterprise Linux, Oracle Linux and Debian GNU/Linux. The Knowledge Pack enables InTrust to work with Syslog and text logs.

The following table shows what you can audit and monitor on Linux:

Data Source Gathering Real-Time Monitoring
Syslog messages X X
Text logs of any format X  
Configuration file modification X X

Requirements

For details about Linux distribution versions that InTrust can audit and monitor, see the following topics:

To prepare a Linux host, you need to install an InTrust agent and adjust the configuration of the Syslog flavor used. Currently, agents must be installed manually on each Linux host you want to cover.

An alternative agent-free approach, which is not covered in this topic, is to use Syslog forwarding to an InTrust server. For details about this method, see Setting Up Gathering of Syslog Data.

Installation

The Linux Knowledge Pack is installed on top of an existing InTrust installation. The following objects are included:

  • Data sources:
    • Redhat Linux Syslog
    • Redhat Linux Accounts Monitoring
    • Redhat Linux Text Files Monitoring
    • SuSE Linux Accounts Monitoring
    • SuSE Linux Syslog
    • SuSE Linux Text Files Monitoring
  • Gathering policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Import policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text Files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Consolidation policies:
    • Redhat Linux Log Consolidation
    • Redhat Linux Log Consolidation for the Last Month
    • SuSE Linux Log Consolidation
    • SuSE Linux Log Consolidation for the Last Month
    • Real-time monitoring policies:
    • Redhat Linux: security
    • SuSE Linux: security
  • Tasks:
    • Redhat Linux daily collection of security events
    • Redhat Linux weekly reporting
    • SuSE Linux daily collection of security events
    • SuSE Linux weekly reporting
  • Sites:
    • Redhat Linux hosts
    • SuSE Linux hosts

Note: To work with Oracle Linux and Debian GNU/Linux, use the data sources, policies and sites designed for Red Hat Enterprise Linux.

Installing Agents

InTrust agents must be installed manually on Linux hosts. For details, see Installing Agents Manually on Linux Computers.

Syslog Configuration

InTrust takes advantage of the Syslog logging system on Linux computers. Syslog provides data for auditing and real-time monitoring activities.

Syslog functionality is provided by a syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network. There are multiple implementations of the daemon, including rsyslog and syslog-ng; these systems and keep their configuration files in different locations and have different sets of options.

When you install the InTrust agent on the Linux host, the necessary entries are automatically added to Syslog configuration. You do not have to modify any InTrust-related settings manually. However, if you use classic syslogd, it is up to you how you configure redirection of messages to other destinations.

NOTE: Prior to InTrust 11.3.2, a few manual Syslog configuration steps could be necessary to make Syslog gathering and real-time monitoring work. If you install the agent as part of an upgrade from version 11.3.1 or earlier to the current version, the new agent detects and updates the manual configuration. This activity is captured by Syslog. To confirm that it was successful, find Syslog messages that contain the string "SyslogConf::fix_rsyslog_file".

Preventing Skipping of Forwarded Messages

Reception of forwarded Syslog messages relies on named pipes, which have limited capacity. If a pipe opened for incoming messages becomes full, then messages will be skipped. This is a difficult situation to diagnose, but if you know or suspect it is happening on your message-receiving host, you can try increasing the pipe size.

The following is a sample Perl script that sets the maximum capacity for the pipe required by InTrust. Run it (or a variation of it) on the InTrust agent host that captures Syslog messages.

#!/usr/bin/perl

use Fcntl;

use constant

{

    F_SETPIPE_SZ => 1031,

    F_GETPIPE_SZ => 1032,

};

###################################################################

$MaxPipeBufPath = "/proc/sys/fs/pipe-max-size";

sysopen(Handle, $MaxPipeBufPath, O_RD) or die "sysopen failed: $!";

$MaxPipeBuf = readline(Handle) or die "readline failed: $!";

close Handle;

print "\n" . "max pipe buffer size = " . $MaxPipeBuf . "\n";

###################################################################

$FilePath = "/var/log/intrust_syslog";

sysopen(Handle, $FilePath, O_RD);

$CurrBuf = fcntl(Handle, F_GETPIPE_SZ, 0) or die "fcntl failed: $!";

print "current pipe buffer size = " . $CurrBuf . "\n";

###################################################################

if( int($CurrBuf) < int($MaxPipeBuf) )

{

    fcntl(Handle, F_SETPIPE_SZ, int($MaxPipeBuf) ) or die "fcntl failed: $!";

    print "new pipe buffer size = " . fcntl(Handle, F_GETPIPE_SZ, 0) . "\n";

}

###################################################################

close Handle;

셀프 서비스 도구
지식 기반
공지 및 알림
제품 지원
소프트웨어 다운로드
기술 설명서
사용자 포럼
비디오 자습서
RSS 피드
문의처
라이센싱 지원가져오기
기술 지원
모두 보기
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택