InsightIDR - auditd Compatibility Mode for Linux Assets

InsightIDR requires you to configure auditd Compatibility Mode for Linux Assets for the normal deployment of the Insight Agent.

In order for InsightIDR to monitor specific file paths from your Linux machine, you must configure auditd Compatibility Mode with slight modifications. This Compatibility Mode is necessary to configure File Integrity Monitoring (FIM) for Linux, or if you have other FIM agents that need to read from the audit.log to generate FIM events, besides Insight products.

Requirements

This implementation can increase log size

Implementing this auditd Compatibility Mode results in larger audit.log files. As a consequence, the performance and bandwidth usage of your asset could increase, depending on the audit events captured.

To configure auditd Compatibility Mode, your Linux host must meet the following requirements:

  • Your installed Insight Agent must be on version 2.5.0.3 or later.
  • The af_unix plugin for audispd must be available and not used by other clients. Because af_unix can only take a single client, the plugin must be available solely for Compatibility Mode use.
  • auditd must be restarted and running after implementing auditd Compatibility Mode.

Considerations for Red Hat Enterprise Linux

If your Linux asset uses Red Hat Enterprise Linux (RHEL) version 9 or newer, consider these differences:

  • You must install audispd-plugins manually (it's not included by default).
  • audispd.conf does not exist. Instead, it's controlled by a a file, located at /etc/audit/auditd.conf. You don't need to edit this file to set q_depth as 8192.
  • af_unix is moved to a new location.

Install audispd plugins

If you use RHEL 9, you must install audispd-plugins manually.

To install audispd-plugins:

  1. On the asset, stop the auditd and ir_agent services using either of these commands:
    • systemctl stop auditd
    • service auditd stop and systemctl stop ir_agent
  2. Install audispd-plugins with this command: yum install audispd-plugins.

Configuration File Modifications

This procedure involves editing and saving the following audit service and configuration files:

Configure audit.rules

There are two ways to configure the audit.rules file, based on the status of the augenrules script:

  • augenrules script is active:

Configure the audit.rules file inside the /etc/audit/rules.d directory. To do so, apply the guidance from this Linux manual page: https://man7.org/linux/man-pages/man8/augenrules.8.html.

This action prevents merging issues, since the contents of /etc/audit/rules.d merge with the contents of /etc/audit/audit.rules when the augenrules script is active.

  • augenrules script is not active:

Directly edit /etc/audit/audit.rules.

text
1
# This file contains the auditctl rules that are loaded
2
# whenever the audit daemon is started via the initscripts.
3
# The rules are simply the parameters that would be passed
4
# to auditctl.
5
 
6
# First rule - delete all
7
-D
8
 
9
# Increase the buffers to survive stress events.
10
# Make this bigger for busy systems
11
-b 8192
12
 
13
# DO NOT BLOCK THE FOLLOWING EVENTS
14
# USER_AUTH
15
# USER_START
16
# USER_END
17
# USER_LOGIN
18
# USER_LOGOUT
19
# ADD_USER
20
# DEL_USER
21
# ADD_GROUP
22
# DEL_GROUP
23
# SERVICE_START
24
# SERVICE_STOP
25
# SYSCALL
26
# EXECVE
27
 
28
 
29


30
# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
31
-a always,exit -F arch=b64 -S execve -F key=execve
32


33
# Feel free to add additional rules below this line. See auditctl man page
34

Audit rules

The -a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed. For example, if you want to configure File Integrity Monitoring (FIM), or if you have auditing requirements to track activity.

Configure audispd.conf

Skip this step on Audit 3.0 and newer

This step is necessary only for versions of Audit older than 3.0. audispd is included with auditd on some new distributions of Linux. Confirm whether audispd-plugins is installed.

Edit the audispd.conf file in this directory: /etc/audisp/audispd.conf

text
1
#
2
# This file controls the configuration of the audit event
3
# dispatcher daemon, audispd.
4
#
5
 
6
q_depth = 8192
7
overflow_action = SYSLOG
8
priority_boost = 4
9
max_restarts = 10
10
name_format = HOSTNAME

Configure af_unix.conf

Version 3.1.1 bug

Audit 3.1.1 introduced a bug that caused messages to be corrupted in binary format. This impacts all events from the Insight Agent, meaning that none of them are sent to the platform.

We recommend updating the Insight Agent to any version above 4.0.8 and using the string output format of the af_unix plugin, which is supported from this version onwards.

  1. Edit the af_unix.conf file in this directory: /etc/audisp/plugins.d/af_unix.conf. On Audit 3.0+ navigate to /etc/audit/plugins.d/af_unix.conf instead.
text
1
# This file controls the configuration of the
2
# af_unix socket plugin. It simply takes events
3
# and writes them to a unix domain socket. This
4
# plugin can take 2 arguments, the path for the
5
# socket and the socket permissions in octal.
6
 
7
active = yes
8
direction = out
9
path = builtin_af_unix
10
type = builtin
11
args = 0600 /var/run/audispd_events
12
format = string
  1. After completing these modifications, start the auditd service with the following command:
 
1
service auditd start
  1. Next, verify that you have configured the rules correctly with the following command:
 
1
auditctl -l
  1. Different kernel versions may have minor differences in output. This is an example of how command results should look like:
 
1
root@ubuntu:~# auditctl -l
2
-a always,exit -F arch=b64 -S execve -F key=execve

Configure audit.conf

Finally, you must create a file in the agent installation directory to manually activate the auditd Compatibility Mode:

  1. Navigate to your /opt/rapid7/ir_agent/components/insight_agent/common/ directory.

  2. Create a new file and name it audit.conf.

  3. Open the file with the editing tool of your choice and add the following line:

 
1
{"auditd-compatibility-mode":true}

  1. Save and close the file.

  2. Restart the agent service so that the Compatibility Mode can take effect.

  3. Verify the configuration by modifying a file in the directory you set to monitor. Within 5-7 minutes, you should see an event in the File Modification Activity > Endpoint Agents log.