In questo post ed in quest’altro ho illustrato, rispettivamente, come configurare Nagios, NRDP e swatch per la ricezione dei check passivi e dei security alert.
Adesso vedremo come fare a monitorare in modo proattivo le regole di auditing definite in precedenza mediante il tool auditd (vedi qui per ulteriori dettagli).
In soldoni, la configurazione si avvale di due passaggi:
1) creazione di un file da dare in pasto a swatch, nel quale sono definite le espressioni regolari in grado di identificare in modo univoco ciascun evento di auditing;
2) definizione dei servizi di Nagios per la ricezione dei check passivi.
Ecco uno stralcio della configurazione di swatch:
#time_changes auditing rule watchfor /time_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='time_changes auditing rule' --output\='$_ | time_changes\=1'" #system_locale_changes auditing rule watchfor /system_locale_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='system_locale_changes auditing rule' --output\='$_ | system_locale_changes\=1'" #shadow_changes auditing rule watchfor /shadow_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='shadow-file auditing rule' --output\='$_ | shadow_changes\=1'" #passwd_changes auditing rule watchfor /passwd_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='passwd_changes auditing rules' --output\='$_ | passwd_changes\=1'" #group_changes auditing rule watchfor /group_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='group_changes auditing rule' --output\='$_ | group_changes\=1'" #sudoers_changes auditing rule watchfor /sudoers_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='sudoers_changes auditing rule' --output\='$_ | sudoers_changes\=1'" #selinux_changes auditing rule watchfor /selinux_changes/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='selinux_changes auditing rule' --output\='$_ | selinux_changes\=1'" #module_insertion auditing rule watchfor /module_insertion/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='module_insertion auditing rule' --output\='$_ | module_insertion\=1'" #webserver_watch_tmp auditing rule watchfor /webserver_watch_tmp/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='webserver_watch_tmp auditing rules' --output\='$_ | webserver_watch_tmp\=1'" #sshd_config auditing rule watchfor /sshd_config/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='sshd_config auditing rules' --output\='$_ | sshd_config\=1'" #httpd_config auditing rule watchfor /httpd_config/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='httpd_config auditing rules' --output\='$_ | httpd_config\=1'" #ntp_config auditing rule watchfor /ntp_config/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='ntp_config auditing rules' --output\='$_ | ntp_config\=1'" #iptables_config auditing rule watchfor /iptables_config/ echo exec "/usr/bin/php /usr/lib64/nagios/plugins/send_nrdp.php --url\=http://192.168.1.1/nrdp --token\=s3cr3t --host\=localhost --state\=1 --service\='iptables_config auditing rules' --output\='$_ | iptables_config\=1'"
Il comando da lanciare per rendere operativo il suddetto applicativo (che magari potremo inserire anche all’interno del file /etc/rc.local per l’avvio automatico dopo ogni riavvio della macchina) è il seguente:
swatch -c /etc/swatchaudit.conf -t /var/log/audit/audit.log --daemon
Di seguito, invece, riporto la configurazione dell’host di Nagios (localhost) per il quale occorre monitorare gli eventi di auditing:
define service{ use local-service host_name localhost service_description time_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description system_locale_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description shadow_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description group_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description sudoers_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description selinux_changes auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description module_insertion auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description webserver_watch_tmp auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description sshd_config auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description httpd_config auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description ntp_config auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 } define service{ use local-service host_name localhost service_description iptables_config auditing rule check_command check_passive passive_checks_enabled 1 active_checks_enabled 0 max_check_attempts 1 is_volatile 1 check_freshness 1 freshness_threshold 6 flap_detection_enabled 0 }
Come al solito, lanciamo un reload di Nagios per rendere operative le suddette modifiche:
[root@linuxbox ~]# service nagios reload
ed abbiamo finito.
Alla prossima.