Chat now with support
Chat with Support

InTrust 11.3.1 - Preparing for Auditing and Monitoring Linux

Linux Auditing and Monitoring Overview

The Linux Knowledge Pack expands the auditing and reporting capabilities of InTrust to SuSE Linux Enterprise Server, Red Hat Enterprise Linux, Oracle Linux and Debian GNU/Linux. The Knowledge Pack enables InTrust to work with Syslog and text logs.

The following table shows what you can audit and monitor on Linux:

Data Source Gathering Real-Time Monitoring
Syslog messages X X
Text logs of any format X  
Configuration file modification X X

Requirements

InTrust supports auditing and monitoring of the following Linux distributions:

  • Red Hat Enterprise Linux 7.4, 7.3, 7.2, 7.1, 7, 6.9, 6.8, 6.7, 6.6, 6.5, 6.4, 6.3
  • SuSE Linux Enterprise Server 11, 10
  • Oracle Linux 7.4, 7.3, 7.2, 7.1, 7, 6.9, 6.8, 6.7, 6.6, 6.5, 6.4, 6.3
  • Debian GNU/Linux 8

To prepare a Linux host, you need to install an InTrust agent and adjust the configuration of the Syslog flavor used. Currently, agents must be installed manually on each Linux host you want to cover.

An alternative agent-free approach, which is not covered in this topic, is to use Syslog forwarding to an InTrust server. For details about this method, see Setting Up Gathering of Syslog Data.

Installation

The Linux Knowledge Pack is installed on top of an existing InTrust installation. The following objects are included:

  • Data sources:
    • Redhat Linux Syslog
    • Redhat Linux Accounts Monitoring
    • Redhat Linux Text Files Monitoring
    • SuSE Linux Accounts Monitoring
    • SuSE Linux Syslog
    • SuSE Linux Text Files Monitoring
  • Gathering policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Import policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text Files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Consolidation policies:
    • Redhat Linux Log Consolidation
    • Redhat Linux Log Consolidation for the Last Month
    • SuSE Linux Log Consolidation
    • SuSE Linux Log Consolidation for the Last Month
    • Real-time monitoring policies:
    • Redhat Linux: security
    • SuSE Linux: security
  • Tasks:
    • Redhat Linux daily collection of security events
    • Redhat Linux weekly reporting
    • SuSE Linux daily collection of security events
    • SuSE Linux weekly reporting
  • Sites:
    • Redhat Linux hosts
    • SuSE Linux hosts

Note: To work with Oracle Linux and Debian GNU/Linux, use the data sources, policies and sites designed for Red Hat Enterprise Linux.

Installing Agents

InTrust agents must be installed manually on Linux hosts. For details, see Installing Agents Manually on Linux Computers.

Syslog Configuration

InTrust takes advantage of the Syslog logging system on Linux computers. Syslog provides data for auditing and real-time monitoring activities.

Syslog functionality is provided by a syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network. There are multiple implementations of the daemon, including rsyslog and syslog-ng; these systems and keep their configuration files in different locations and have different sets of options.

The InTrust agent assumes that its host has the /etc/syslog.conf file, which is the location of classic syslogd configuration. The file specifies where the Syslog daemon sends a message depending on the parameters of the message. For a detailed description of this file's format, see the syslog.conf man page.

When you install the InTrust agent on the Linux host, the necessary entries are automatically added to /etc/syslog.conf as long as it is present. You do not have to modify any InTrust-related settings manually. However, if you use classic syslogd, it is up to you how you configure redirection of messages to other destinations.

Configuration Specifics for Debian 8, Oracle Linux and Red Hat Enterprise Linux 6.3 and Later

NOTE: This procedure is not required on SUSE Linux or Red Hat Enterprise Linux 4 and 5. On those systems, agent configuration is fully automatic.

  1. Create the /etc/syslog.conf file:

    touch /etc/syslog.conf


    InTrust requires only that this file be present. You don't need to manually perform any configuration through the file.
  2. In the /etc/rsyslog.conf file, add the following line under #### RULES ####:

    *.debug                     |/var/log/intrust_syslog;RSYSLOG_TraditionalFileFormat

  3. (On Debian 8, skip this step.) Create the /var/log/intrust_syslog pipe:
    mkfifo /var/log/intrust_syslog
  4. Restart the rsyslogd daemon using the following command sequence:
    • On Red Hat Enterprise Linux 6.*:

      /etc/rc.d/rc2.d/S12rsyslog stop
      /etc/rc.d/rc2.d/S12rsyslog start

    • On Red Hat Enterprise Linux 7.*, Oracle Linux and Debian 8:

      systemctl restart rsyslog

Enabling Reception of External Syslog Messages

Auditing and monitoring works not only for local Syslog on the host where the agent resides, but also for external Syslog messages forwarded from other sources. Some InTrust Knowledge Packs (for example, for Trend Micro virtual appliances and TPAM) require that you use this Syslog proxy mechanism. You may also find it convenient in other situations.

IMPORTANT: Remember to configure your firewall to allow incoming Syslog messages on the proxy host.

For Red Hat Enterprise Linux 6.* and 7.*, Debian 8 and Oracle Linux

  1. Open the /etc/rsyslog.conf file with any text editor of your choice. This file should contain commented lines like the following:

    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514

    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$UDPServerRun 514

  2. Depending on how you forward events, uncomment and edit the necessary lines. For example, for UDP reception on port 514, it should be like this:

    # Provides UDP syslog reception
    $ModLoad imudp
    $UDPServerRun 514

  3. Restart the rsyslogd daemon as follows:
    • On Red Hat Enterprise Linux 6.*:

      /etc/rc.d/rc2.d/S12rsyslog stop
      /etc/rc.d/rc2.d/S12rsyslog start

    • On Red Hat Enterprise Linux 7.*, Oracle Linux and Debian 8:

      systemctl restart rsyslog

For Red Hat Enterprise Linux 4 and 5

  1. Open the /etc/sysconfig/syslog file with any text editor of your choice.
  2. In the file, locate the line starting with SYSLOGD_OPTIONS=.
  3. Append the -r parameter to the options line as follows:

    SYSLOGD_OPTIONS="-m 0 -r"

  4. Restart the Syslog daemon to apply the changes.

Preventing Skipping of Forwarded Messages

Reception of forwarded Syslog messages relies on named pipes, which have limited capacity. If a pipe opened for incoming messages becomes full, then messages will be skipped. This is a difficult situation to diagnose, but if you know or suspect it is happening on your message-receiving host, you can try increasing the pipe size.

The following is a sample Perl script that sets the maximum capacity for the pipe required by InTrust. Run it (or a variation of it) on the InTrust agent host that captures Syslog messages.

#!/usr/bin/perl

use Fcntl;

use constant

{

    F_SETPIPE_SZ => 1031,

    F_GETPIPE_SZ => 1032,

};

###################################################################

$MaxPipeBufPath = "/proc/sys/fs/pipe-max-size";

sysopen(Handle, $MaxPipeBufPath, O_RD) or die "sysopen failed: $!";

$MaxPipeBuf = readline(Handle) or die "readline failed: $!";

close Handle;

print "\n" . "max pipe buffer size = " . $MaxPipeBuf . "\n";

###################################################################

$FilePath = "/var/log/intrust_syslog";

sysopen(Handle, $FilePath, O_RD);

$CurrBuf = fcntl(Handle, F_GETPIPE_SZ, 0) or die "fcntl failed: $!";

print "current pipe buffer size = " . $CurrBuf . "\n";

###################################################################

if( int($CurrBuf) < int($MaxPipeBuf) )

{

    fcntl(Handle, F_SETPIPE_SZ, int($MaxPipeBuf) ) or die "fcntl failed: $!";

    print "new pipe buffer size = " . fcntl(Handle, F_GETPIPE_SZ, 0) . "\n";

}

###################################################################

close Handle;

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents