InsightIDR - auditd Compatibility Mode for Linux Assets

InsightIDR requires you to configure auditd Compatibility Mode for Linux Assets for the normal deployment of the Insight Agent.

In order for InsightIDR to monitor specific file paths from your Linux machine, you must configure auditd Compatibility Mode with slight modifications. This Compatibility Mode is necessary to configure File Integrity Monitoring (FIM) for Linux, or if you have other FIM agents that need to read from the audit.log to generate FIM events, besides Insight products.

Requirements

This implementation can increase log size

Implementing this auditd Compatibility Mode results in larger audit.log files. As a consequence, the performance and bandwidth usage of your asset could increase, depending on the audit events captured.

To configure auditd Compatibility Mode, your Linux host must meet the following requirements:

  • Your installed Insight Agent must be on version 2.5.0.3 or later.
  • The af_unix audispd built-in plugin must be available and not used by other clients. af_unix can only take a single client, so the plugin must be available for the sole use of the Compatibility Mode.
  • auditd must be restarted and running after implementing auditd Compatibility Mode.

Configuration File Modifications

This procedure involves editing and saving the following audit service and configuration files:

Configure audit.rules

There are two ways to configure the audit.rules file, based on the status of the augenrules script:

  • augenrules script is active:

Configure the audit.rules file inside the /etc/audit/rules.d directory. To do so, apply the guidance from this Linux manual page: https://man7.org/linux/man-pages/man8/augenrules.8.html.

This action prevents merging issues, since the contents of /etc/audit/rules.d merge with the contents of /etc/audit/audit.rules when the augenrules script is active.

  • augenrules script is not active:

Directly edit /etc/audit/audit.rules.

text
1
# This file contains the auditctl rules that are loaded
2
# whenever the audit daemon is started via the initscripts.
3
# The rules are simply the parameters that would be passed
4
# to auditctl.
5
 
6
# First rule - delete all
7
-D
8
 
9
# Increase the buffers to survive stress events.
10
# Make this bigger for busy systems
11
-b 8192
12
 
13
# DO NOT BLOCK THE FOLLOWING EVENTS
14
# USER_AUTH
15
# USER_START
16
# USER_END
17
# USER_LOGIN
18
# USER_LOGOUT
19
# ADD_USER
20
# DEL_USER
21
# ADD_GROUP
22
# DEL_GROUP
23
# SERVICE_START
24
# SERVICE_STOP
25
# SYSCALL
26
# EXECVE
27
 
28
 
29


30
# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
31
-a always,exit -F arch=b64 -S execve -F key=execve
32


33
# Feel free to add additional rules below this line. See auditctl man page
34

NOTE

The -a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed. For example, if you want to configure File Integrity Monitoring (FIM), or if you have auditing requirements to track activity.

Configure audispd.conf

Skip this step on RHEL 8.0+ and CentOS 8.0+

audispd is part of auditd starting RHEL 8 and CentOS 8. This step is only necessary on lower versions of RHEL and CentOS.

Edit the audispd.conf file in this directory: /etc/audisp/audispd.conf

text
1
#
2
# This file controls the configuration of the audit event
3
# dispatcher daemon, audispd.
4
#
5
 
6
q_depth = 8192
7
overflow_action = SYSLOG
8
priority_boost = 4
9
max_restarts = 10
10
name_format = HOSTNAME

Configure af_unix.conf

  1. Edit the af_unix.conf file in this directory: /etc/audisp/plugins.d/af_unix.conf. On RHEL 8+ and CentOS 8+ navigate to /etc/audit/plugins.d/af_unix.conf instead.
text
1
# This file controls the configuration of the
2
# af_unix socket plugin. It simply takes events
3
# and writes them to a unix domain socket. This
4
# plugin can take 2 arguments, the path for the
5
# socket and the socket permissions in octal.
6
 
7
active = yes
8
direction = out
9
path = builtin_af_unix
10
type = builtin
11
args = 0600 /var/run/audispd_events
12
format = binary
  1. After completing these modifications, start the auditd service with the following command:
 
1
service auditd start
  1. Next, verify that you have configured the rules correctly with the following command:
 
1
auditctl -l
  1. Different kernel versions may have minor differences in output. This is an example of how command results should look like:
 
1
root@ubuntu:~# auditctl -l
2
-a always,exit -F arch=b64 -S execve -F key=execve

Configure audit.conf

Finally, you must create a file in the agent installation directory to manually activate the auditd Compatibility Mode:

  1. Navigate to your /opt/rapid7/ir_agent/components/insight_agent/common/ directory.
  2. Create a new file and name it audit.conf.
  3. Open the file with the editing tool of your choice and add the following line:
 
1
{"auditd-compatibility-mode":true}
  1. Save and close the file.
  2. Restart the agent service so that the Compatibility Mode can take effect.
  3. Verify the configuration by modifying a file in the directory you set to monitor. Within 5-7 minutes you should see an event in the File Modification Activity->Endpoint Agents log.