主页
产品
Red Hat Certificate System
9
Planning, Installation, and Deployment Guide (Common Criteria Edition)
13.2. Operating System (external to RHCS) Log Settings

此内容没有您所选择的语言版本。

13.2. Operating System (external to RHCS) Log Settings

13.2.1. Enabling OS-level Audit Logs
复制链接

Warning

All operations in the following sections have to be performed as root or a privileged user via sudo.

The auditd logging framework provides many additional audit capabilities. These OS-level audit logs complement functionality provided by Certificate System directly. Before performing any of the following steps in this section, make sure the audit package is installed:

sudo yum install audit

# sudo yum install audit

Copy to Clipboard

Toggle word wrap

Auditing of system package updates (using yum and rpm and including Certificate System) is automatically performed and requires no additional configuration.

Note

After adding each audit rule and restarting the auditd service, validate the new rules were added by running:

auditctl -l

# auditctl -l

Copy to Clipboard

Toggle word wrap

The contents of the new rules should be visible in the output.

For instructions on viewing the resulting audit logs, see the Displaying Operating System-level Audit Logs in the Red Hat Certificate System Administration Guide (Common Criteria Edition).

13.2.1.1. Auditing Certificate System Audit Log Deletion
复制链接

To receive audit events for when audit logs are deleted, you need to audit system calls whose targets are Certificate System logs.

Create the file /etc/audit/rules.d/rhcs-audit-log-deletion.rules with the following contents:

-a always,exit -F arch=b32 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion

-a always,exit -F arch=b32 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b32 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlink -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rename -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S rmdir -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S unlinkat -F dir=/var/log/pki -F key=rhcs_audit_deletion
-a always,exit -F arch=b64 -S renameat -F dir=/var/log/pki -F key=rhcs_audit_deletion

Copy to Clipboard

Toggle word wrap

Then restart auditd:

service auditd restart

# service auditd restart

Copy to Clipboard

Toggle word wrap

13.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys
复制链接

To receive audit events for all access to Certificate System Secret or Private keys, you need to audit the file system access to the NSS DB.

Create the /etc/audit/rules.d/rhcs-audit-nssdb-access.rules file with the following contents:

-w /etc/pki/<instance name>/alias -p warx -k rhcs_audit_nssdb

-w /etc/pki/<instance name>/alias -p warx -k rhcs_audit_nssdb

Copy to Clipboard

Toggle word wrap

<instance name> is the name of the current instance. For each file (`<file>`) in /etc/pki/<instance name>/alias, add to /etc/audit/rules.d/rhcs-audit-nssdb-access.rules the following line :

-w /etc/pki/<instance name>/alias/<file> -p warx -k rhcs_audit_nssdb

-w /etc/pki/<instance name>/alias/<file> -p warx -k rhcs_audit_nssdb

Copy to Clipboard

Toggle word wrap

For example, if the instance name is pki-ca121318ec and cert8.db, key3.db, NHSM6000-OCScert8.db, NHSM6000-OCSkey3.db, and secmod.db are files, then the configuration file would contain:

-w /etc/pki/pki-ca121318ec/alias -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/cert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/key3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCScert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCSkey3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/secmod.db -p warx -k rhcs_audit_nssdb

-w /etc/pki/pki-ca121318ec/alias -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/cert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/key3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCScert8.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/NHSM6000-OCSkey3.db -p warx -k rhcs_audit_nssdb
-w /etc/pki/pki-ca121318ec/alias/secmod.db -p warx -k rhcs_audit_nssdb

Copy to Clipboard

Toggle word wrap

Then restart auditd:

service auditd restart

# service auditd restart

Copy to Clipboard

Toggle word wrap

13.2.1.3. Auditing Time Change Events
复制链接

To receive audit events for time changes, you need to audit a system call access which could modify the system time.

Create the /etc/audit/rules.d/rhcs-audit-rhcs_audit_time_change.rules file with the following contents:

-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_adjtime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_adjtime -F key=rhcs_audit_time_change
-w /etc/localtime -p wa -k rhcs_audit_time_change

-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=rhcs_audit_time_change
-a always,exit -F arch=b32 -S clock_adjtime -F key=rhcs_audit_time_change
-a always,exit -F arch=b64 -S clock_adjtime -F key=rhcs_audit_time_change
-w /etc/localtime -p wa -k rhcs_audit_time_change

Copy to Clipboard

Toggle word wrap

Then restart auditd:

service auditd restart

# service auditd restart

Copy to Clipboard

Toggle word wrap

For instructions on how to set time, see Chapter 15. Setting Time and Date in Red Hat Enterprise Linux 7.6 in Red Hat Certificate System's Administration Guide.

13.2.1.4. Auditing Access to Certificate System Configuration
复制链接

To receive audit events for all modifications to the Certificate System instance configuration files, audit the file system access for these files.

Create the /etc/audit/rules.d/rhcs-audit-config-access.rules file with the following contents:

-w /etc/pki/instance_name/server.xml -p wax -k rhcs_audit_config

-w /etc/pki/instance_name/server.xml -p wax -k rhcs_audit_config

Copy to Clipboard

Toggle word wrap

Additionally, add for each subsystem in the /etc/pki/instance_name/ directory the following contents:

-w /etc/pki/instance_name/subsystem/CS.cfg -p wax -k rhcs_audit_config

-w /etc/pki/instance_name/subsystem/CS.cfg -p wax -k rhcs_audit_config

Copy to Clipboard

Toggle word wrap

Example 13.1. rhcs-audit-config-access.rules Configuration File

For example, if the instance name is pki-ca121318ec and only a CA is installed, the /etc/audit/rules.d/rhcs-audit-config-access.rules file would contain:

-w /etc/pki/pki-ca121318ec/server.xml -p wax -k rhcs_audit_config
-w /etc/pki/pki-ca121318ec/ca/CS.cfg -p wax -k rhcs_audit_config

-w /etc/pki/pki-ca121318ec/server.xml -p wax -k rhcs_audit_config
-w /etc/pki/pki-ca121318ec/ca/CS.cfg -p wax -k rhcs_audit_config

Copy to Clipboard

Toggle word wrap

Note that access to the PKI NSS database is already audited under rhcs_audit_nssdb.

返回顶部

此内容没有您所选择的语言版本。

13.2. Operating System (external to RHCS) Log Settings

13.2.1. Enabling OS-level Audit Logs
复制链接

13.2.1.1. Auditing Certificate System Audit Log Deletion
复制链接

13.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys
复制链接

13.2.1.3. Auditing Time Change Events
复制链接

13.2.1.4. Auditing Access to Certificate System Configuration
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

此内容没有您所选择的语言版本。

13.2. Operating System (external to RHCS) Log Settings

13.2.1. Enabling OS-level Audit Logs复制链接链接已复制到粘贴板!

13.2.1.1. Auditing Certificate System Audit Log Deletion复制链接链接已复制到粘贴板!

13.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys复制链接链接已复制到粘贴板!

13.2.1.3. Auditing Time Change Events复制链接链接已复制到粘贴板!

13.2.1.4. Auditing Access to Certificate System Configuration复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

13.2.1. Enabling OS-level Audit Logs
复制链接

13.2.1.1. Auditing Certificate System Audit Log Deletion
复制链接

13.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys
复制链接

13.2.1.3. Auditing Time Change Events
复制链接

13.2.1.4. Auditing Access to Certificate System Configuration
复制链接