SIEM (InsightIDR) - auditd Compatibility Mode for Linux Assets
Copy link

SIEM (InsightIDR) requires you to configure auditd Compatibility Mode for Linux Assets for the normal deployment of the Rapid7 Agent (Insight Agent).

In order for SIEM (InsightIDR) to monitor specific file paths from your Linux machine, you must configure auditd Compatibility Mode with slight modifications. This Compatibility Mode is necessary to configure File Integrity Monitoring (FIM) for Linux , or if you have other FIM agents that need to read from the audit.log to generate FIM events, besides Insight products.

Requirements
Copy link

⚠️

This implementation can increase log size

Implementing this auditd Compatibility Mode results in larger audit.log files. As a consequence, the performance and bandwidth usage of your asset could increase, depending on the audit events captured.

To configure auditd Compatibility Mode, your Linux host must meet the following requirements:

  • Your installed Rapid7 Agent (Insight Agent) must be on version 2.5.0.3 or later.
  • The af_unix plugin for audispd must be available and not used by other clients. Because af_unix can only take a single client, the plugin must be available solely for Compatibility Mode use.
  • auditd must be restarted and running after implementing auditd Compatibility Mode.

Considerations for Red Hat Enterprise Linux
Copy link

If your Linux asset uses Red Hat Enterprise Linux (RHEL) version 8 or newer, consider these differences:

  • You must install audispd-plugins manually (it’s not included by default).
  • audispd.conf does not exist. Instead, it’s controlled by a a file, located at /etc/audit/auditd.conf. You don’t need to edit this file to set q_depth as 8192.
  • af_unix is moved to a new location.

Install audispd plugins
Copy link

If you use RHEL 8, you must install audispd-plugins manually.

To install audispd-plugins:

  1. On the asset, stop the auditd and ir_agent services using either of these commands:
    • systemctl stop auditd
    • service auditd stop and systemctl stop ir_agent
  2. Install audispd-plugins with this command: yum install audispd-plugins.

Configuration File Modifications
Copy link

This procedure involves editing and saving the following audit service and configuration files:

Configure audit.rules
Copy link

There are two ways to configure the audit.rules file, based on the status of the augenrules script:

  • augenrules script is active:

Configure the audit.rules file inside the /etc/audit/rules.d directory. To do so, apply the guidance from this Linux manual page: https://man7.org/linux/man-pages/man8/augenrules.8.html .

This action prevents merging issues, since the contents of /etc/audit/rules.d merge with the contents of /etc/audit/audit.rules when the augenrules script is active.

  • augenrules script is not active:

Directly edit /etc/audit/audit.rules.

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
 
# First rule - delete all
-D
 
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192
 
# DO NOT BLOCK THE FOLLOWING EVENTS
# USER_AUTH
# USER_START
# USER_END
# USER_LOGIN
# USER_LOGOUT
# ADD_USER
# DEL_USER
# ADD_GROUP
# DEL_GROUP
# SERVICE_START
# SERVICE_STOP
# SYSCALL
# EXECVE
 
 

# REQUIRED (for Rapid7 Agent (Insight Agent)): watch for execve syscalls, change to arch=b32 for 32 bit systems
-a always,exit -F arch=b64 -S execve -F key=execve

# Feel free to add additional rules below this line. See auditctl man page
⚠️

Audit rules

The -a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Rapid7 Agent (Insight Agent). You may have additional audit rule lines here as needed. For example, if you want to configure File Integrity Monitoring (FIM), or if you have auditing requirements to track activity.

Configure audispd.conf
Copy link

⚠️

Skip this step on Audit 3.0 and newer

This step is necessary only for versions of Audit older than 3.0. audispd is included with auditd on some new distributions of Linux. Confirm whether audispd-plugins is installed.

Edit the audispd.conf file in this directory: /etc/audisp/audispd.conf

#
# This file controls the configuration of the audit event
# dispatcher daemon, audispd.
#
 
q_depth = 8192
overflow_action = SYSLOG
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME

Configure af_unix.conf
Copy link

⚠️

Version 3.1.1 bug

Audit 3.1.1 introduced a bug that caused messages to be corrupted in binary format. This impacts all events from the Rapid7 Agent (Insight Agent), meaning that none of them are sent to the platform.

We recommend updating the Rapid7 Agent (Insight Agent) to any version above 4.0.8 and using the string output format of the af_unix plugin, which is supported from this version onwards.

  1. Edit the af_unix.conf file in this directory: /etc/audisp/plugins.d/af_unix.conf. On Audit 3.0+ navigate to /etc/audit/plugins.d/af_unix.conf instead.
# This file controls the configuration of the
# af_unix socket plugin. It simply takes events
# and writes them to a unix domain socket. This
# plugin can take 2 arguments, the path for the
# socket and the socket permissions in octal.
 
active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0600 /var/run/audispd_events
format = string
  1. After completing these modifications, start the auditd service with the following command:
service auditd start
  1. Next, verify that you have configured the rules correctly with the following command:
auditctl -l
  1. Different kernel versions may have minor differences in output. This is an example of how command results should look like:
root@ubuntu:~# auditctl -l
-a always,exit -F arch=b64 -S execve -F key=execve

Configure audit.conf
Copy link

Finally, you must create a file in the agent installation directory to manually activate the auditd Compatibility Mode:

  1. Navigate to your /opt/rapid7/ir_agent/components/insight_agent/common/ directory.

  2. Create a new file and name it audit.conf.

  3. Open the file with the editing tool of your choice and add the following line:

{"auditd-compatibility-mode":true}

  1. Save and close the file.

  2. Restart the agent service so that the Compatibility Mode can take effect.

  3. Verify the configuration by modifying a file in the directory you set to monitor. Within 5-7 minutes, you should see an event in the File Modification Activity > Endpoint Agents log.