Chat now with support
Chat with Support

InTrust 11.3 - Preparing for Auditing and Monitoring Linux

Linux Auditing and Monitoring Overview

The Linux Knowledge Pack expands the auditing and reporting capabilities of InTrust to SuSE Linux Enterprise Server, Red Hat Enterprise Linux, Oracle Linux and Debian GNU/Linux. The Knowledge Pack enables InTrust to work with Syslog and text logs.

The following table shows what you can audit and monitor on Linux:

Data Source Gathering Real-Time Monitoring
Syslog messages X X
Text logs of any format X  
Configuration file modification X X

Requirements

InTrust supports auditing and monitoring of the following Linux distributions:

  • Red Hat Enterprise Linux 7, 6.6, 6.5, 6.4, 6.3, 5, 4
  • SuSE Linux Enterprise Server 11, 10
  • Oracle Linux 7, 6.6, 6.5, 6.4, 6.3
  • Debian GNU/Linux 8

To prepare a Linux host, you need to install an InTrust agent and adjust the configuration of the Syslog flavor used. Currently, agents must be installed manually on each Linux host you want to cover.

An alternative agent-free approach, which is not covered in this topic, is to use Syslog forwarding to an InTrust server. For details about this method, see Setting Up Gathering of Syslog Data.

Installation

The Linux Knowledge Pack is installed on top of an existing InTrust installation. The following objects are included:

  • Data sources:
    • Redhat Linux Syslog
    • Redhat Linux Accounts Monitoring
    • Redhat Linux Text Files Monitoring
    • SuSE Linux Accounts Monitoring
    • SuSE Linux Syslog
    • SuSE Linux Text Files Monitoring
  • Gathering policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Import policies:
    • Redhat Enterprise Linux: Common Security Events
    • Redhat Enterprise Linux: All Syslog Messages
    • Redhat Enterprise Linux: Accounts Monitoring
    • Redhat Enterprise Linux: Text Files Monitoring
    • SuSE Linux Enterprise Server: Common Security Events
    • SuSE Linux Enterprise Server: All Syslog Messages
    • SuSE Linux Enterprise Server: Accounts Monitoring
    • SuSE Linux Enterprise Server: Text Files Monitoring
  • Consolidation policies:
    • Redhat Linux Log Consolidation
    • Redhat Linux Log Consolidation for the Last Month
    • SuSE Linux Log Consolidation
    • SuSE Linux Log Consolidation for the Last Month
    • Real-time monitoring policies:
    • Redhat Linux: security
    • SuSE Linux: security
  • Tasks:
    • Redhat Linux daily collection of security events
    • Redhat Linux weekly reporting
    • SuSE Linux daily collection of security events
    • SuSE Linux weekly reporting
  • Sites:
    • Redhat Linux hosts
    • SuSE Linux hosts

Note: To work with Oracle Linux and Debian GNU/Linux, use the data sources, policies and sites designed for Red Hat Enterprise Linux.

Installing Agents

InTrust agents must be installed manually on Linux hosts. For details, see Installing Agents Manually on Linux Computers.

Syslog Configuration

InTrust takes advantage of the Syslog logging system on Linux computers. Syslog provides data for auditing and real-time monitoring activities.

Syslog functionality is provided by the syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network.

The syslog.conf file specifies where syslogd sends a message depending on the parameters of the message. For a detailed description of this file's format, see the syslog.conf man page.

When you install the InTrust agent on the Linux host, the necessary entries are automatically added to syslog.conf. You do not have to modify any message redirection settings manually. However, as long as you do not modify InTrust-related settings, it is up to you how you configure redirection of messages to other destinations.

Note: In addition to the syslogd daemon InTrust supports syslog-ng. In this case the syslog-ng.conf file needs to be modified.

Configuration Specifics for Debian 8, Oracle Linux and RedHat Enterprise Linux 6.3 and Later

  1. Create the /etc/syslog.conf file:
    touch /etc/syslog.conf
  2. In the /etc/rsyslog.conf file, add the following line under #### RULES ####:
    *.debug                     |/var/log/intrust_syslog;RSYSLOG_TraditionalFileFormat
  3. (On Debian 8, skip this step.) Create the /var/log/intrust_syslog pipe:
    mkfifo /var/log/intrust_syslog
  4. Restart the rsyslogd daemon using the following command sequence:
    • For Oracle and RedHat operating system versions 6.3–6.6:
      /etc/rc.d/rc2.d/S12rsyslog stop
      /etc/rc.d/rc2.d/S12rsyslog start
    • For Oracle and RedHat operating system version 7 and Debian 8:
      systemctl restart rsyslog

Preventing Skipping of Forwarded Messages

Reception of forwarded Syslog messages relies on named pipes, which have limited capacity. If a pipe opened for incoming messages becomes full, then messages will be skipped. This is a difficult situation to diagnose, but if you know or suspect it is happening on your message-receiving host, you can try increasing the pipe size.

The following is a sample Perl script that sets the maximum capacity for the pipe required by InTrust. Run it (or a variation of it) on the InTrust agent host that captures Syslog messages.

#!/usr/bin/perl

use Fcntl;

use constant

{

    F_SETPIPE_SZ => 1031,

    F_GETPIPE_SZ => 1032,

};

###################################################################

$MaxPipeBufPath = "/proc/sys/fs/pipe-max-size";

sysopen(Handle, $MaxPipeBufPath, O_RD) or die "sysopen failed: $!";

$MaxPipeBuf = readline(Handle) or die "readline failed: $!";

close Handle;

print "\n" . "max pipe buffer size = " . $MaxPipeBuf . "\n";

###################################################################

$FilePath = "/var/log/intrust_syslog";

sysopen(Handle, $FilePath, O_RD);

$CurrBuf = fcntl(Handle, F_GETPIPE_SZ, 0) or die "fcntl failed: $!";

print "current pipe buffer size = " . $CurrBuf . "\n";

###################################################################

if( int($CurrBuf) < int($MaxPipeBuf) )

{

    fcntl(Handle, F_SETPIPE_SZ, int($MaxPipeBuf) ) or die "fcntl failed: $!";

    print "new pipe buffer size = " . fcntl(Handle, F_GETPIPE_SZ, 0) . "\n";

}

###################################################################

close Handle;

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating