Logs record system running information and are of vital importance to system security. Major log functions include auditing and monitoring. With logs, you can diagnose problems, monitor real-time system status, and track traces left by attackers.
3.6.1 Log Files
Only the root user can view log files and description under the log directory /var/log. The following describes log files in the Dopra Linux:
l audit
A log file for the audit daemon, which writes kernel information generated by applications and system activities into hard disk.
l dlinstall.log/dlrecover.log/dlupgrade.log
Log files recording information about system installation, rollback, and upgrade. l faillog
A log file recording the number of failed logins due to incorrect user name or password. This file is encrypted. Running the vi/cat command cannot open this file. You can run faillog to view this file.
l messages
A log file recording kernel and system information. You can run vi/cat to view this file.
l warn
A log file recording all warnings and error information.
l wtmp
A log file recording all remote and local logins, changes in system running level, and time of the changes.
This file is encrypted. You can run last to view this file.
3.6.2 Real-Time Access Information Recording
The Dopra Linux records real-time Dopra Linux login and logout information in logs. For details about how to manage these logs, see section "Configuring the Function of Recording OMU OS Accessing Information in Real Time" in OMU Administration Guide.
3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux
3.6.3.1 Configuration Commands
Linux audit Subsystem (audit), is a system service. This service is used for auditing system invoking records and writing the records to files. The user space program of the audit service is auditd, which is used for writing audit information to disks.
Audit Configuration Differences Between Dopra Linux and Common Linux
The Dopra Linux(Before V200R003C08SPC100 versions) and common Linux differ in the audit service as follows:l The configuration file path is different. The paths for Dopra Linux are /etc/auditd.conf and /etc/audit.rules. The paths for common Linux are /etc/auditd/auditd.conf and /etc/ auditd/audit.rules.
l When the /etc/rc.d/init.d/auditd script is used to enable the audit service, audit rules are not automatically loaded by default.If you want to retain the rules after a restart, manually modify the /etc/rc.d/init.d/auditd file. For details about the procedure, see Configuration Guide.
Querying Audit Service Status
The audit service status' value of RTOS system can be 0,1,2. The audit service status' value of Dopra Linux system can be 0,1.
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0
Jasper ~ #
enabled=1: Log auditing is enabled for the audit service. enabled=0: Log upgrades are disabled.
enabled=2: The audit rules cannot be edited.If you want to edit it,you should restart the system first.
By default, enabled=1 is used after a normal startup. You can run the auditctl-e 1 command to change the value of enabled to 1.
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0
Jasper ~ # auditctl -e 2
AUDIT_STATUS: enabled=2 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0
Jasper ~ # auditctl -a entry,always -S umask
Error sending add rule request (Operation not permitted)
Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannot be edited.
Query Existing Rules
auditctl -lDeleting All Audit Rules at a Time
auditctl -DAdding an Audit Rule
Auditctl -a entry,always -S umask -k umask --> Add an audit rule for invoking the umask system.
Deleting an Audit Rule
auditctl -d entry,always -S umask -k umask --> Delete an audit rule for invoking the umask system.
Adding Audit Rules in Batches
auditctl -R /etc/audit.rules --> /etc/audit.rules is a text file containing rules in any paths.
Stopping the auditd Service Process
killall auditd or
/etc/rc.d/init.d/auditd stop
Starting the auditd Service Process
startproc /sbin/auditd or
/etc/rc.d/init.d/auditd start
Querying the auditd Service Process Status
/etc/rc.d/init.d/auditd statusChecking Whether Recording Is Enabled for the auditd Service
auditctl –sIf "enabled=1" is displayed, recording is enabled.
3.6.3.2 Configuration Guide
This section describes how to configure the audit service.
Procedure
Step 1 Create a default configuration file of the audit service. Jasper ~ # mkdir /etc/audit/
Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules
Step 2 Edit the rule file /etc/audit/audit.rules.
You can select interesting audit rules from the following samples:
# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl.
# First rule - delete all -D
# Increase the buffers to survive stress events. # Make this bigger for busy systems
-b 256
# Feel free to add below this line. See auditctl man page ## Audit the audit logs.
## successful and unsuccessful attempts to read information from the ## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog
## Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools ## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime - k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## umask
-a entry,always -S umask -k umask ## cron configuration & scheduled jobs -w /etc/crontab -p rwax -k cron
## user, group, password databases -w /etc/group -p rwax -k etcgroup -w /etc/passwd -p rwax -k etcpasswd -w /etc/shadow -k etcpasswd
## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification ## login configuration and information
-w /etc/login.defs -p rwax -k login -w /etc/securetty -p rwax -k login ## network configuration
-w /etc/hosts -p rwax -k hosts
-w /etc/sysconfig/network -p rwax -k network ## system startup scripts
-w /etc/inittab -p rwax -k init ## kernel parameters
-w /etc/sysctl.conf -p rwax -k sysctl ## modprobe configuration
-w /etc/modprobe.conf -p rwax -k modprobe ## pam configuration
-w /etc/pam.d/ -p rwax -k pam ## ssh configuration
-w /etc/ssh/sshd_config -k sshd ## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname -a exit,always -F arch=b64 -S sethostname -k hostname ## changes to issue
-w /etc/issue -p rwax -k etcissue -w /etc/issue.net -p rwax -k etcissue
Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart. Add the following contents in bold to vi /etc/rc.d/init.d/auditd (Skip this step if the bold line exists):
case "$1" instart) echo -n "Starting RPC auditd daemon" auditd_pid=`pidof auditd`
if [[ -z ${auditd_pid} ]]
then $AUDITD_BIN if [[ $? -ne 0 ]] then rc_failed 1 else rc_failed 0 fi else rc_failed 0 fi
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/ null
# Remember status and be verbose rc_status -v
Step 4 Restart the audit service. /etc/rc.d/init.d/auditd restart
Step 5 Check whether audit log recording is enabled. ----End
Run the auditctl -s command to check the value of enabled. If the value is 1, log recording is enabled.
If the value is not 1, run the auditctl –e 1 command to enable log recording. ---End
Important Notes
Because audit rules are added, the system kernel adds additional audit operations besides normal processing, which compromise system performance. Delete unnecessary audit rules and minimize the number of audit rules based on site requirements to minimize performance deterioration.