This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

FEATURE REQUEST - Secure Log Reader (for Redhat 6.2, /var/log/secure)

This request is to expand important logging for RHEL 6.2.

The default in RHEL 6.2 is that /var/log/secure logs all authpriv.* events.

The purpose of this is to be able to log data to comply with NERC CIP Standards.

CIP-007 R5 - Account Management - The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthrized system access.

For the the most part the PAM tool does this well for the following:

   -UserLogon, UseLogoff, UserLogonFailure, UserModifyAttribute (Password Change)

PAM does not catch when you add, modify, or delete a user user these commands;

   -UserAdd, UserMod, UserDel, & chage.

   -GroupAdd, GroupMod, GroupDel

   -This is important so we can keep track of records of user changes but also when installing new software for change management. When you install software it is possible that it will create a new system user or group. This will help for change management and we can provide evidence and update documentation for any new users.

SSH

   -PAM logs user logons and logoffs for sshd but if there are other log events that correspond to ssh but not to pam they are not logged right now in LEM.

VNC

  -VNC sessions are logged in /var/log/secure but there are no tools currently that log this.

I am not sure if there I have anything else at this point. If anyone has anything to add please do. I am also fairly new to Linux so if I am missing any other tools that LEM offers for Linux please let me know.

 

Thanks!

  • Hi, there.

    Have you tried the auditd connector? That level of auditing is not turned on by default in Linux, so you might have to check out your Linux man pages to set that up, but the connector should pick that stuff up once you have it logging on the Linux side.

    If you don't already have the sudo connector configured, you might want to set that one up too. This one tracks authentication events like the PAM connector does, but you might be able to get something more/different if it's of interest.

    Let me know if that helps, and I'll KB it.

    Thanks.

  • I do also have the auditd connector setup. Right now it basically shows up everything as InternalNewToolData. Then in Extraneousinfo it will show like USER AUTH or USER ROLE CHANGE and etc...

    I also have sudo setup. This works good but in the Alert Name it usually shows up as File Execute. I haven't tried but I could maybe setup a filter to grab those unique commands but its a lot nicer setting the Alert Name saying specific to what I am doing so I can run reports or grab the data a little easier.

    I am new to both LEM and Linux so I am still trying to grasp everything. I am just trying to find out the best ways to log all the data that is required. So I will take any input.

     

    Thanks

  • I believe there might be case open to update the connectors. #315533 just FYI.

     

    Also the case open for this FEATURE REQUEST is #317345.

    I was supposed to put that somewhere but i forgot until now.

  • Yeah...if you're seeing the InternalNewToolData alerts, the connector update case is the next step. The feature request case is good too in case the updated connector doesn't get you what you need.

    Thanks for the suggestions.