Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

About the Device

Linux is one of the most well-known UNIX-like operating systems. It is open-source and free to use, developed under the GNU General Public License (GPL). Some popular Linux distributions include Ubuntu, CentOS, Debian, Fedora, and Red Hat Enterprise Linux (RHEL).

There are many services and packages available in the Linux. Each service plays a crucial role in enabling various functionalities and supporting different types of applications and workloads. Here are service description which are supported.

Device Information

 Entity

Particulars

Vendor Name

Open Source

Product Name

Linux Operating System

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Linux Auditing System (AuditD)

AUDITD

Syslog KV/Unstructured

CyberHub

Linux Sysmon

LINUX_SYSMON

Syslog XML

CyberHub

Unix system

NIX_SYSTEM

Syslog Unstructured

CyberHub

Port Requirements

Source

Destination

Port

Linux Operating System

CyberHub

601 (TCP)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

To Configure Linux Audit System (AUDITD) logging

The below steps are validated on following Linux distributions - Ubuntu v22.04.4 LTS, RHEL v9.3, Debian v12.5 and SUSE Linux Enterprise v15.5.

  1. Log in to CLI with root or similar privileges.

  2. Deploy and enable the audit daemon and the audit dispatching framework by running the following command.

If you have already deployed the daemon and framework, you can skip this step.

For Debian and Ubuntu OS -
sudo apt-get install auditd audispd-plugins

For RedHat OS -
sudo yum install audit audispd-plugins

For SUSE OS
sudo zypper install audit audit-audispd-plugins

Enable auditd service

sudo systemctl enable auditd.service
  1. To enable logging of all commands, which include the user and root, add the following lines to /etc/audit/rules.d/audit.rules:

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
  1. Verify that the parameters in the /etc/audit/plugins.d/syslog.conf file match the following values:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string
  1. (Optional Step) - To disable local file logging to syslog, configure rsyslog configuration file by appending local6.none to all the lines those allow configure what is logged to local syslog files. The file differs for each OS. For RHEL, Debian and SUSE the file is /etc/rsyslog.conf, and for Ubuntu the file is /etc/rsyslog.d/50-default.conf.

Ubuntu Example -
# First some standard log files.  Log by facility.
*.*;auth,authpriv.none;local6.none      -/var/log/syslog



Debian Example -
# Log anything besides private authentication messages to a single log file
*.*;auth,authpriv.none;local6.none              -/var/log/syslog



RHEL Example -
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local6.none          /var/log/messages



SUSE Example -
*.*;mail.none;news.none;local6.none                     -/var/log/messages
############
# Some foreign boot scripts require local7
#
local0.*;local1.*                       -/var/log/localmessages
local2.*;local3.*                       -/var/log/localmessages
local4.*;local5.*                       -/var/log/localmessages
local6.none;local7.*                    -/var/log/localmessages
  1. Restart auditd and rsyslog service.

systemctl restart auditd.service
systemctl restart rsyslog.service

To Configure Linux Sysmon logging

The below steps are validated on following Linux distributions - Ubuntu v22.04.4 LTS, RHEL v9.3 and Debian v12.5.

  1. Log in to CLI with root or similar privileges.

  2. Use the following commands according to your Linux version, to register Microsoft key and feed, then to install SysmonForLinux.

###### For Ubuntu v20.04, v22.04, v23.04 
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install sysmonforlinux

##### For Debian v12.5
wget -q https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get install apt-transport-https sysmonforlinux

##### RHEL 9.3
sudo rpm -Uvh https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm
sudo dnf install sysmonforlinux
  1. Install service and driver.

sudo sysmon -accepteula -i

To Forward All the Linux OS Logs to CyberHub

  1. Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

*.* @@FORWARDER_IP:601

Replace FORWARDER_IP with CyberHUB IP. The @@indicates that TCP is used to send the message.

  1. Restart rsyslog service.

systemctl restart rsyslog.service

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

Linux Operating System interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels