InsightIDR - auditd Compatibility Mode for Linux Assets
InsightIDR requires you to configure auditd
Compatibility Mode for Linux Assets for the normal deployment of the Insight Agent.
In order for InsightIDR to monitor specific file paths from your Linux machine, you must configure auditd Compatibility Mode with slight modifications. This Compatibility Mode is necessary to configure File Integrity Monitoring (FIM) for Linux, or if you have other FIM agents that need to read from the audit.log
to generate FIM events, besides Insight products.
Requirements
This implementation can increase log size
Implementing this auditd
Compatibility Mode results in larger audit.log
files. As a consequence, the performance and bandwidth usage of your asset could increase, depending on the audit events captured.
To configure auditd Compatibility Mode, your Linux host must meet the following requirements:
- Your installed Insight Agent must be on version 2.5.0.3 or later.
- The
af_unix
audispd
built-in plugin must be available and not used by other clients.af_unix
can only take a single client, so the plugin must be available for the sole use of the Compatibility Mode. auditd
must be restarted and running after implementing auditd Compatibility Mode.
Configuration File Modifications
This procedure involves editing and saving the following audit
service and configuration files:
Configure audit.rules
There are two ways to configure the audit.rules
file, based on the status of the augenrules
script:
augenrules
script is active:
Configure the audit.rules
file inside the /etc/audit/rules.d
directory. To do so, apply the guidance from this Linux manual page: https://man7.org/linux/man-pages/man8/augenrules.8.html.
This action prevents merging issues, since the contents of /etc/audit/rules.d
merge with the contents of /etc/audit/audit.rules
when the augenrules
script is active.
augenrules
script is not active:
Directly edit /etc/audit/audit.rules
.
text
1# This file contains the auditctl rules that are loaded2# whenever the audit daemon is started via the initscripts.3# The rules are simply the parameters that would be passed4# to auditctl.56# First rule - delete all7-D89# Increase the buffers to survive stress events.10# Make this bigger for busy systems11-b 81921213# DO NOT BLOCK THE FOLLOWING EVENTS14# USER_AUTH15# USER_START16# USER_END17# USER_LOGIN18# USER_LOGOUT19# ADD_USER20# DEL_USER21# ADD_GROUP22# DEL_GROUP23# SERVICE_START24# SERVICE_STOP25# SYSCALL26# EXECVE27282930# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems31-a always,exit -F arch=b64 -S execve -F key=execve3233# Feel free to add additional rules below this line. See auditctl man page34
NOTE
The -a always,exit -F arch=b64 -S execve -F key=execve
audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed. For example, if you want to configure File Integrity Monitoring (FIM), or if you have auditing requirements to track activity.
Configure audispd.conf
Skip this step on RHEL 8.0+ and CentOS 8.0+
audispd
is part of auditd
starting RHEL 8 and CentOS 8. This step is only necessary on lower versions of RHEL and CentOS.
Edit the audispd.conf
file in this directory: /etc/audisp/audispd.conf
text
1#2# This file controls the configuration of the audit event3# dispatcher daemon, audispd.4#56q_depth = 81927overflow_action = SYSLOG8priority_boost = 49max_restarts = 1010name_format = HOSTNAME
Configure af_unix.conf
- Edit the
af_unix.conf
file in this directory:/etc/audisp/plugins.d/af_unix.conf
. On RHEL 8+ and CentOS 8+ navigate to/etc/audit/plugins.d/af_unix.conf
instead.
text
1# This file controls the configuration of the2# af_unix socket plugin. It simply takes events3# and writes them to a unix domain socket. This4# plugin can take 2 arguments, the path for the5# socket and the socket permissions in octal.67active = yes8direction = out9path = builtin_af_unix10type = builtin11args = 0600 /var/run/audispd_events12format = binary
- After completing these modifications, start the
auditd
service with the following command:
1service auditd start
- Next, verify that you have configured the rules correctly with the following command:
1auditctl -l
- Different kernel versions may have minor differences in output. This is an example of how command results should look like:
1root@ubuntu:~# auditctl -l2-a always,exit -F arch=b64 -S execve -F key=execve
Configure audit.conf
Finally, you must create a file in the agent installation directory to manually activate the auditd
Compatibility Mode:
- Navigate to your
/opt/rapid7/ir_agent/components/insight_agent/common/
directory. - Create a new file and name it
audit.conf
. - Open the file with the editing tool of your choice and add the following line:
1{"auditd-compatibility-mode":true}
- Save and close the file.
- Restart the agent service so that the Compatibility Mode can take effect.
- Verify the configuration by modifying a file in the directory you set to monitor. Within 5-7 minutes you should see an event in the File Modification Activity->Endpoint Agents log.