Install the required packages
sudo apt install -y auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd
sudo vi /etc/audit/rules.d/hardening.rules
#Authentication Events
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/gshadow -p wa -k gshadow_changes
#Privilege Escalation (e.g., sudo)
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_includes
#System Configuration Changes
-w /etc/hostname -p wa -k hostname_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/network/ -p wa -k network_config_changes
-w /etc/resolv.conf -p wa -k dns_config
#Kernel Modules Changes
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
#Monitoring Use of chmod, chown, etc.
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchown -k perm_mod
#File/Directory Monitoring (Sensitive paths like etc and the other application path)
-w /etc/ssh/sshd_config -p wa -k ssh_config
#-w /opt/ -p wa -k opt_changes
#Execution of Binaries which needs to be monitored specifically
-a always,exit -F path=/usr/bin/nc -F perm=x -F auid>=1000 -F auid!=4294967295 -k nc_exec
-a always,exit -F path=/usr/bin/sh -F perm=x -F auid>=1000 -F auid!=4294967295 -k sh_exec
-a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=1000 -F auid!=4294967295 -k bash_exec
#Access to Credential Files
-w /etc/securetty -p wa -k securetty_changes
-w /var/log/lastlog -p wa -k login_logs
#Audit Auditd Itself
-w /etc/audit/ -p wa -k audit_config
-w /etc/audit/rules.d/ -p wa -k audit_rules
sudo augenrules --load
sudo systemctl restart auditd
Configure log rotate
sudo vi /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
su root syslog
weekly
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 syslog adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/syslog 2>/dev/null || true
chattr -a /var/log/auth.log 2>/dev/null || true
endscript
postrotate
/usr/lib/rsyslog/rsyslog-rotate
# Reapply append-only after rotation
chattr +a /var/log/syslog 2>/dev/null || true
chattr +a /var/log/auth.log 2>/dev/null || true
endscript
}/var/log/audit/audit.log {
su root adm
daily
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 root adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/audit/audit.log 2>/dev/null || true
endscript
postrotate
# Signal auditd to reopen logs safely
invoke-rc.d auditd rotate >/dev/null 2>&1 || true
# Reapply append-only after rotation
chattr +a /var/log/audit/audit.log 2>/dev/null || true
endscript
}
sudo chown syslog:adm /var/log/auth.log /var/log/syslog
sudo chmod 640 /var/log/auth.log /var/log/syslog
sudo chattr +a /var/log/syslog
sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/audit/audit.log
sudo systemctl restart rsyslog
sudo logrotate --debug /etc/logrotate.d/rsyslog
sudo logrotate -f /etc/logrotate.d/rsyslog
sudo ls -lh /var/log/{auth.log,syslog,audit/}
sudo lsattr /var/log/{auth.log,syslog,audit/audit.log}
Check Log rotate timer:
sudo systemctl status logrotate.timer
To check and find the audit related logs you can use the below filters. You can use the filters created in /etc/audit/rules.d/hardening.rules file.
Search logs by Key:
sudo ausearch -k exec_log
Search logs by Username:
sudo ausearch -k exec_log -ua vishal.rajput
Search logs by root Users:
sudo ausearch -k exec_log -ua 0
No comments:
Post a Comment