Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

About the Device

Linux is one of the most well-known UNIX-like operating systems. It is open-source and free to use, developed under the GNU General Public License (GPL). Some popular Linux distributions include Ubuntu, CentOS, Debian, Fedora, and Red Hat Enterprise Linux (RHEL).

There are many services and packages available in the Linux. Each service plays a crucial role in enabling various functionalities and supporting different types of applications and workloads. Here are service description which are supported.

Device Information

 Entity

Particulars

Vendor Name

Open Source

Product Name

Linux Operating System

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Linux Auditing System (AuditD)

AUDITD

Syslog KV/Unstructured

CyberHub

Linux Sysmon

LINUX_SYSMON

Syslog XML

CyberHub

Unix system

NIX_SYSTEM

Syslog Unstructured

CyberHub

Port Requirements

Source

Destination

Port

Linux Operating System

CyberHub

601 (TCP)

Device Configuration

Linux Audit System (AUDITD) logging configuration

The below steps are validated on following Linux distributions - Ubuntu v22.04.4 LTS, RHEL v9.3, Debian v12.5 and SUSE Linux Enterprise v15.5.

  1. Log in to CLI with root or similar privileges.

  2. Deploy and enable the audit daemon and the audit dispatching framework by running the following command.

If you have already deployed the daemon and framework, you can skip this step.

For Debian and Ubuntu OS -
sudo apt-get install auditd audispd-plugins

For RedHat OS -
sudo yum install audit audispd-plugins

For SUSE OS
sudo zypper install audit audit-audispd-plugins

Enable auditd service

sudo systemctl enable auditd.service

  1. To enable logging of all commands, which include the user and root, add the following lines to /etc/audit/rules.d/audit.rules:

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

  1. Verify that the parameters in the /etc/audit/plugins.d/syslog.conf file match the following values:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string

  1. (Optional Step) - To disable local file logging to syslog, configure rsyslog configuration file by appending local6.none to all the lines those allow configure what is logged to local syslog files. The file differs for each OS. For RHEL, Debian and SUSE the file is /etc/rsyslog.conf, and for Ubuntu the file is /etc/rsyslog.d/50-default.conf.

Ubuntu Example -
# First some standard log files.  Log by facility.
*.*;auth,authpriv.none;local6.none      -/var/log/syslog



Debian Example -
# Log anything besides private authentication messages to a single log file
*.*;auth,authpriv.none;local6.none              -/var/log/syslog



RHEL Example -
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local6.none          /var/log/messages



SUSE Example -
*.*;mail.none;news.none;local6.none                     -/var/log/messages
############
# Some foreign boot scripts require local7
#
local0.*;local1.*                       -/var/log/localmessages
local2.*;local3.*                       -/var/log/localmessages
local4.*;local5.*                       -/var/log/localmessages
local6.none;local7.*                    -/var/log/localmessages

  1. Restart auditd and rsyslog service.

systemctl restart auditd.service
systemctl restart rsyslog.service

Linux Sysmon logging configuration

The below steps are validated on following Linux distributions - Ubuntu v22.04.4 LTS, RHEL v9.3 and Debian v12.5.

  1. Log in to CLI with root or similar privileges.

  2. Use the following commands according to your Linux version, to register Microsoft key and feed, then to install SysmonForLinux.

###### For Ubuntu v20.04, v22.04, v23.04 
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install sysmonforlinux

##### For Debian v12.5
wget -q https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get install apt-transport-https sysmonforlinux

##### RHEL 9.3
sudo rpm -Uvh https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm
sudo dnf install sysmonforlinux

  1. Install service and driver.

sudo sysmon -accepteula -i

Forward All the Linux OS Logs to CyberHub

  1. Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

*.* @@FORWARDER_IP:601

Replace FORWARDER_IP with CyberHUB IP. The @@ in the second column indicates that TCP is used to send the message.

  1. Restart rsyslog service.

systemctl restart rsyslog.service

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

Linux Operating System interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.