LINUX- 50 SECURITY & HARDENING
(BASICS) -P5
IN LINUX (RHEL6 &
RHEL7),
USER/LOGIN
SECURITY
NETWORK SECURITY
FILE / OPERATING
SYSTEM SECURITY
PHYSICAL SECURITY
LOG EVERYTHING
LOG FILE SECURITY
We
already covered USER, NETWORK, FILE/OPERATING SYSTEM SECURITY and PHYSICAL
SECURITY.
Now
it’s time to collect & secure evidence.
LOG EVERYTHING
First
enable System Auditing and then know all your log files.
ENABLE SYSTEM AUDIT,
The
term Audit is used for inspection of every action on server like,
Security
Stability
Proper
functioning
Which
file accessed by whom and when
Application
misbehaves
All
network traffics
Etc…etc…
PACKAGES:
audit
& audit-libs
DAEMON:
auditd
CONFIGURATION
FILE:
/etc/audit/auditd.conf
= configuration file for audit daemon
/etc/audit/audit.rules
= audit rules to be loaded at startup
TOOLS
TO ACCESS AUDIT REPORT/LOGS:
auditctl
– A utility for controlling the kernel’s audit system.
ausearch
– A tool to query audit daemon logs.
aureport
– A tool that produces summary reports of audit daemon logs.
It
is bound with kernel to watch all system calls and able to see every process
and activity on the system with help of audit daemon “auditd”.
Audit
kernel component catches system calls, record events and forward these to
“auditd”. Where “auditd” generate logs and by default saves it in
/var/log/audit
Audit
works independently, it has anyhow no relation with syslog.
For
better and complete understanding, please refer my previous posts under
Auditing.
I
also covered RHEL Logs & Journaling in details, please refer my previous
posts under Logging.
LOG FILE SECURITY
Audit Logs Permissions
This
should be 640 or 600
Logs Must Be Owned by Root
[root@rhel7-server ~]# chown root:root /var/log
Ensure
that all log files (usually located in /var/log/, /var/adm, or var/tmp) are
only writable by root.
Better
to create a syslog server to capture all your logs from your entire network.
Prepare Append only log
files
Check
the normal permission,
[root@rhel7-server ~]# ls -l /var/log/messages
-rw-------.
1 root root 909163 Oct 21 18:30 /var/log/messages
Check
what attributes are set,
[root@rhel7-server ~]# lsattr /var/log/messages
----------------
/var/log/messages
No attributes,
Let’s
make it append only
[root@rhel7-server ~]# chattr +a /var/log/messages
[root@rhel7-server ~]# lsattr /var/log/messages
-----a----------
/var/log/messages
Now
I am trying to nullify the messages file,
[root@rhel7-server ~]# >/var/log/messages
bash:
/var/log/messages: Operation not permitted
Great,
not allowed. This is good but in case of log rotation or copy our logs to any
syslog server it will create an issue. Better to have an script which remove
the append attribute and do the rotation/transfer then again set the attribute.
Make log files Immutable
By making
log files Immutable, even root can’t delete them.
[root@rhel7-server ~]# chattr +i /var/log/messages
[root@rhel7-server ~]# lsattr /var/log/messages
----ia----------
/var/log/messages
No comments:
Post a Comment