Add free search for your website. Sign up now! https://webveta.alightservices.com/
Categories
Linux Security

Some important log management techniques on Linux – AuditD

In my continued pursuit of strengthening the security infrastructure at my own startup – ALight Technology And Services Limited, I have written few blog articles in the past regarding securing web applications, importance of audit, logs – part of the NIST Cyber Security Framework. This blog post talks about some things I have done on AWS infrastructure. While running a company with no other employees and while being the target of state-sponsored / state-trained hackers, I ended up learning a lot and now I have dabbled in pretty much everything in computing (expert at development, learning system administration, infosec etc… as part of running my own startup).

  1. I created a base Ubuntu image by enabling ufw, installed auditd, installed cloudwatch log agent, closing unnecessary ports, some custom alerters as soon as a SSH login happens etc… I call this AMI the golden AMI. I also update the golden AMI every few months. The advantage of using a golden AMI like this is any EC2 instance you would launch would have these in place.
  2. I am using ELK stack along with Cloudwatch logs and S3 for logs. ELK stack for log analysis i.e logs are stored for a shorter period, Cloudwatch logs for various other reasons, (can’t disclose) and finally S3 glacier for longer term retention.
  3. With the above mentioned setup, if an incident happens, all the necessary logs would in place for analysis.

I wanted to give a quick introduction to Cloudwatch log agent, AuditD as part of this blog post.

Cloudwatch log agent:

A small piece of software that ingests logs into AWS Cloudwatch. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

The setup needs IAM role with proper permissions, more details are at the above mentioned link.

On Ubuntu the logs config is stored at:

/var/awslogs/etc/awslogs.conf

The configuration file is very simple and straightforward.

I would suggest ingesting all the ubuntu system logs along with auditd logs and create a golden AMI.

AuditD:

This is a nice audit tool for Linux capable of auditing a lot of things.

Installation:

sudo apt update
sudo apt-get install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

The configuration and rules are stored at /etc/audit. The config file is auditd.conf, rules should be in audit.rules.

The configuration file is self-explanatory.

There are no default rules.

But thankfully there is a github repo with several rule templates for meeting several compliance standards such as PCI. The PCI rules are at: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules

Several rule files are located in the same repository:

https://github.com/linux-audit/audit-userspace/tree/master/rules

Stay safe & secure! Stay away from hac#?ers / ransom thieves.

Happy computing!

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.