audit service retention time

audit service retention time
The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command:

sudo grep ^expire-after /etc/security/audit_control

If this returns no results, or does not contain 7d or a larger value, this is a finding.

—->
Edit the /etc/security/audit_control file, and change the value for ‘expire-after’ to the amount of time audit logs should be kept for the system. Use the following command to set the ‘expire-after’ value to ‘7d’:

sudo sed -i.bak ‘s/.*expire-after.*/expire-after:7d/’ /etc/security/audit_control; sudo audit -s
sudo sed -i.bak ‘s/.*expire-after.*/expire-after:365d/’ /etc/security/audit_control; sudo audit -s

//////////////////////

audit service should be configured to immediately print messages to the console
By default, auditd only logs errors to syslog. To see if audit has been configured to print error messages to the console, run the following command:

sudo grep logger /etc/security/audit_warn

If the argument ‘-s’ is missing, or if audit_warn has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

—->

To make auditd log errors to standard error as well as syslogd, run the following command:

sudo sed -i.bak ‘s/logger -p/logger -s -p/’ /etc/security/audit_warn; sudo audit -s

//////////////////////

audit service should shut down the computer if it is unable to audit system events

To view the setting for the audit control system, run the following command:

sudo grep ^policy /etc/security/audit_control | grep ahlt

If there is no result, this is a finding.

—->

Edit the /etc/security/audit_control file, and change the value for policy to include the setting ‘ahlt’. To programmatically do this, run the following command:

sudo sed -i.bak ‘/^policy/ s/$/,ahlt/’ /etc/security/audit_control; sudo audit -s

//////////////////////

Auditing successful and unsuccessful attempts to elevate privileges

The options to configure the audit daemon are located in the /etc/security/audit_control file. To view the current settings, run the following command:

sudo grep ^flags /etc/security/audit_control

If the ‘lo’, ‘ad’, and ‘aa’ options are not set, this is a finding.

—->

To set the audit flags to the recommended setting, run the following command to add the flags ‘lo’, ‘ad’, and ‘aa’ all at once:

sudo sed -i.bak ‘/^flags/ s/$/,lo,ad,aa/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

//////////////////////

If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Administrative actions and changes to configuration settings are logged by way of the ‘ad’ flag. If ‘ad’ is not listed in the result of the check, this is a finding.

—->

To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,ad/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

//////////////////////

auditing privileged functions

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Privileged access is logged via the ‘ad’ flag. If ‘ad’ is not listed in the result of the check, this is a finding.

—->

To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,ad/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

more auditing privileged functions

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Attempts to log in as another user are logged by way of the ‘lo’ flag. If ‘lo’ is not listed in the result of the check, this is a finding.

—->
To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,lo/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

 

 

links: https://www.scip.ch/en/?labs.20150108

Leave a Reply

Your email address will not be published. Required fields are marked *