Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
17.2. Operating System (external to RHCS) Log Settings
17.2.1. Enabling OS-level Audit Logs
Copia collegamentoCollegamento copiato negli appunti!
Warning
All operations in the following sections have to be performed as root or a privileged user via
sudo.
The
auditd logging framework provides many additional audit capabilities. These OS-level audit logs complement functionality provided by Certificate System directly. Before performing any of the following steps in this section, make sure the audit package is installed:
# sudo yum install audit
Auditing of system package updates (using
yum and rpm and including Certificate System) is automatically performed and requires no additional configuration.
Note
After adding each audit rule and restarting the
auditd service, validate the new rules were added by running:
# auditctl -l
The contents of the new rules should be visible in the output.
For instructions on viewing the resulting audit logs, see the Displaying Operating System-level Audit Logs section in the Red Hat Certificate System Administration Guide.
17.2.1.1. Auditing Certificate System Audit Log Deletion
Copia collegamentoCollegamento copiato negli appunti!
To receive audit events for when audit logs are deleted, you need to audit system calls whose targets are Certificate System logs.
Create the file
/etc/audit/rules.d/rhcs-audit-log-deletion.rules with the following contents:
-a always,exit -F arch=b32 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion
Then restart
auditd:
# service auditd restart17.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys
Copia collegamentoCollegamento copiato negli appunti!
To receive audit events for all access to Certificate System Secret or Private keys, you need to audit the file system access to the NSS DB.
Create the
/etc/audit/rules.d/rhcs-audit-nssdb-access.rules file with the following contents:
-w /etc/pki/<instance name>/alias -p warx -k rhcs_audit_nssdb
<instance name> is the name of the current instance. For each file (`<file>`) in
/etc/pki/<instance name>/alias, add to /etc/audit/rules.d/rhcs-audit-nssdb-access.rules the following line :
-w /etc/pki/<instance name>/alias/<file> -p warx -k rhcs_audit_nssdb
For example, if the instance name is
pki-ca121318ec and cert8.db, key3.db, NHSM6000-OCScert8.db, NHSM6000-OCSkey3.db, and secmod.db are files, then the configuration file would contain:
-w /etc/pki/pki-ca121318ec/alias -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/cert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/key3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCScert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCSkey3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/secmod.db -p warx -k rhcs_audit_nssdb
Then restart
auditd:
# service auditd restart17.2.1.3. Auditing Time Change Events
Copia collegamentoCollegamento copiato negli appunti!
To receive audit events for time changes, you need to audit a system call access which could modify the system time.
Create the
/etc/audit/rules.d/rhcs-audit-rhcs_audit_time_change.rules file with the following contents:
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_adjtime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_adjtime -F key=rhcs_audit_time_change
-w /etc/localtime -p wa -k rhcs_audit_time_change
Then restart
auditd:
# service auditd restart
For instructions on how to set time, see Setting Time and Date in Red Hat Enterprise Linux 7 in the Red Hat Certificate System Administration Guide.
17.2.1.4. Auditing Access to Certificate System Configuration
Copia collegamentoCollegamento copiato negli appunti!
To receive audit events for all modifications to the Certificate System instance configuration files, audit the file system access for these files.
Create the
/etc/audit/rules.d/rhcs-audit-config-access.rules file with the following contents:
-w /etc/pki/instance_name/server.xml -p wax -k rhcs_audit_config
Additionally, add for each subsystem in the
/etc/pki/instance_name/ directory the following contents:
-w /etc/pki/instance_name/subsystem/CS.cfg -p wax -k rhcs_audit_configExample 17.1. rhcs-audit-config-access.rules Configuration File
For example, if the instance name is
pki-ca121318ec and only a CA is installed, the /etc/audit/rules.d/rhcs-audit-config-access.rules file would contain:
-w /etc/pki/pki-ca121318ec/server.xml -p wax -k rhcs_audit_config
-w /etc/pki/pki-ca121318ec/ca/CS.cfg -p wax -k rhcs_audit_config
Note that access to the PKI NSS database is already audited under
rhcs_audit_nssdb.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}