InTrust Configuration
After you have taken all the necessary configuration steps on the target Linux hosts, the InTrust Server takes over all auditing and real-time monitoring operations. This section describes Linux-specific settings that are not explained in the other InTrust documentation.
Auditing, Reporting, and Real-Time Monitoring
Linux auditing, reporting, and real-time monitoring is similar to working with any other system supported by InTrust.
There is only one important difference that refers to active scheduling of the InTrust tasks. For information see the warning note below.
|
|
Caution: An active schedule is required to make the agent cache events. If the schedule is disabled, no events are stored. Since all Data Sources described above use events caching, it is recommended that you use at least one task for the cache-enabled data sources that run regularly. If you want to gather data only on demand, you must still enable the schedule for your task or tasks, but set it to a point in the future or in the past. |
The other Linux auditing, reporting and real-time monitoring operations do not have special requirements.
The following are details about the Linux-related data sources in InTrust.
Redhat Linux Syslog and SuSE Linux Syslog Data Sources
The “Redhat Linux Syslog” and the “SuSE Linux Syslog” data sources represent the Syslog audit trails.
Syslog auditing and real-time monitoring is based on the flow of data intended for the syslogd or syslog-ng daemons. The “Redhat Linux Syslog” (“SuSE Linux Syslog”) data source is used to analyze the data flow and capture only the necessary portions of it.
The data source uses a list of regular expressions. When the data source is working, it applies the expressions, in the order specified, to each message. The order of the regular expressions matters because message processing stops as soon as the message matches one of the expressions.
When parsing takes place, pairs of parentheses are used in regular expressions to break messages up into numbered fields.
For example, the following regular expression:
^(.{15}) ([-[:alnum:]_.]+) (su)(\([^[]+\)){0,1}(\[[0-9]+\]){0,1}: (session opened for user (.*) by ([^()]*)\(.*\))
matches the following message:
Dec 16 12:10:47 es7 su(pam_unix)[23200]: session opened for user root by jsmith(uid=508)
The result is an event with the following fields:
| Field Name | Field Number |
Field Contents |
|---|---|---|
| Computer | <2> |
es7 |
| Description | <6> |
session opened for user root by jsmith(uid=508) |
| Event ID | 2 | 2 |
| Event Source | <3> |
su |
| Insertion String #1 | <6> |
session opened for user root by jsmith(uid=508) |
| Insertion String #11 | <7> |
root |
| Insertion String #12 | <8> | jsmith |
The last regular expression in the predefined data source is designed to match any message. This ensures that the message is not lost. The result of this regular expression is an event where the Description and Insertion String #1 fields both contain the descriptive part of the message, if a descriptive part is present.
It is not recommended that you modify predefined regular expressions in the data source. These expressions are required for the reports that come with the Linux Knowledge Pack. These reports will ignore any data resulting from the use of custom regular expressions.
If you create a custom Syslog data source with your own regular expressions, make sure you use customized reports based on the data that these regular expressions help capture.
|
|
Caution: Including a lot of complex regular expressions in the data source may slow down Syslog processing significantly. |
Text File-Monitoring Data Sources
The “Redhat Linux text files monitoring”(or “SuSE Linux text files monitoring”) and “Redhat Linux accounts monitoring”(or “SuSE Linux accounts monitoring”) scripted data sources are designed to parse specified files. Real-time monitoring rules use these data sources to monitor the files for changes.
|
|
Caution: These scripted data sources are not designed for general-purpose auditing and monitoring of text-based logs. They should be used only on configuration files that preferably do not exceed 100 kilobytes. To collect large text-based logs, use Custom Text Log Events data sources, as described in the Auditing Custom Logs with InTrust document. |
To specify the file paths, edit the appropriate parameters of the data sources. For example, to monitor the /etc/hosts.allow and /etc/hosts.deny files, take the following steps:
- Open the properties of the “Redhat Linux text files monitoring” data source.
- On the Parameters tab, select the TextFiles parameter and click Edit.
- Supply “/etc/hosts.allow” and “/etc/hosts.deny” in the dialog box that appears.
Similarly, you can edit the UsersFile and GroupsFile parameters of the “Redhat Linux accounts monitoring” data source if the location of the passwd and groups files differs from the default on your Linux hosts.
|
|
Note: Monitoring the passwd and groups files makes sense if your Linux environment does not use a directory solution. With a directory in place, information in these files is not important or representative. |
External Events Data Sources
The External Events data source type is not represented by any predefined data sources. It is different from other data source types in that it generates event records with fields that you define and hands them over to the InTrust agent to process.
Data sources of this type are represented by a command-line utility on the agent side and an InTrust data source object on the InTrust server side.
This command-line utility forces special events on the InTrust agent running on the same computer. The agent stores the events in its backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
To create an External Events data source
- Right-click the Configuration | Data Sources node and select New Data Source.
- In the New Data Source Wizard, select the External Events data source type.
- Complete the remaining steps.
For details about External Events data source settings, see Configuring Data Sources.
Script Event Provider Data Sources
InTrust provides an additional option to create a custom data source using the Script Event Provider.
This functionality allows to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation.
To create a custom data source with Script Event Provider
- Right-click the Configuration | Data Sources node and select New Data Source.
- In the New Data Source Wizard, select the Script Event Provider data source type.
- On the Script step select the script language and enter your script text using XML editor.
- On the same step specify how frequently the script should run.
- Complete the remaining steps.
Use Scenarios
This topic describes typical situations in a production environment and how InTrust helps handle them. For information about specific procedures, such as creating tasks and jobs or activating rules, see the Auditing Guide and Real-Time Monitoring Guide.
Syslog Configuration Monitoring
Suppose you use a finely-tuned Syslog audit policy in your environment. Your audit configuration has proven efficient and reliable, and you do not want anyone but a few trusted administrators to be able to change it. Even so, you want to know immediately if the audit policy is modified in any way.
Use InTrust real-time monitoring capabilities to enable immediate notification. Syslog audit configuration is defined in the syslog.conf file, so the solution in this case is to monitor this file with InTrust and send an alert whenever the file is modified.
Enable the “Syslog.conf file modified” rule and make sure the appropriate file paths are supplied as the rule’s parameter.
Tracking Security Incidents
You want to receive daily information about possible security issues in your environment, such as brute force attack attempts.
You can achieve this by scheduling gathering and reporting jobs with InTrust. To view the resulting reports use the Knowledge Portal web application.
Take the following steps:
- Make sure that syslogd or syslog-ng is running.
- Create an InTrust task that gathers Syslog events from the appropriate site (gathering job), builds reports based on the gathered data (reporting job).The resulting reports are stored in the local folder that is specified during InTrust installation.
- A good report for this scenario is "Multiple failed login attempts".
It is up to you whether you want to store the gathered data in an InTrust repository. You can also include a notification job to get notified of task completion. - Schedule the task to run every morning at a convenient time.