P-Linux

The P-Linux package focuses on both host and entity use cases related to the various functions of the Linux Operating System.

Authors & Contributors:

Donald Chapell

Beirne Konarski

Jesse Bacon

Henk-Jan Esterik

Nellie Wang

Seema Khan

Installation Overview

Security logging in Linux is divided between regular syslog messages that will generally go to /var/log/secure and auditd events that go to /var/log/audit/audit.log. The entries in /var/log/secure only have minimal information about what was changed, but do not say who performed the change, something that is needed to watch for security activity. The audit logs have more information, but often only list the UID and not the user logon name. The reasons for the event may also be missing. For these reasons both types of logs are needed. If the auditd is not set up on the Linux boxes sending events to ArcSight this package will not work properly.

Here is an overview of the installation steps. More detailed instructions appear farther down on this page.

Linux Connector Installation

  1. Install connector
  2. Drop in parser overrides
  3. Configure connector.
  4. Edit agent.properties to support auditd event merging.

Linux Server Logging Configuration

  1. Configure rsyslog to send events to ArcSight
  2. Configure auditd to send events to rsyslog

ESM Package Installation

  1. Install Linux product package
  2. Add filters to Entity and Host monitoring filters

Main Use Cases

This package supports Use Cases and User Stories for the following Activate Framework Packages:

L1 Host Monitoring - Indicators and Warnings User Stories

  • Service Started
  • Service Stopped
  • Host Started
  • Host Stopped
  • Host Crash
  • Service Crash

L2 Host Monitoring - Situational Awareness User Stories

Hosts

  • Downtime for critical hosts
  • Critical host start
  • Extended downtime for a critical hosts
  • Critical hosts still down

Services

  • Services downtime on a critical host
  • Service started on critical host
  • Essential services stopped on a critical host
  • Essential services extended downtime on a critical host
  • Essential services extended still downtime on a critical host
  • Essential service started on a critical host

L1 Entity Monitoring - Indicators and Warnings User Stories

Account Anomalies

  • User Account Created and Deleted within 24 Hours
  • User Account Enabled and Disabled within 24 Hours

Entity Authentication

  • User Account Brute Force Attempt
  • User Account Brute Force Attempt from Multiple Sources
  • User Account Brute Force Attempt Reported by Device
  • User Account Harvesting Attempt
  • User Account Logoff
  • User Account Logon
  • User Account Logon Failure

Entity Management

  • User Account Created
  • User Account Deleted
  • User Account Disabled
  • User Account Enabled
  • User Account Locked
  • User Account Locked Multiple Times
  • User Account Modification
  • User Account Unlocked

L2 Entity Monitoring Situational Awareness User Stories

Privileged User Accounts

  • Privileged User Account Logoff
  • Privileged User Account Logon
  • Privileged User Account Logon Failure

Privileged User Account Management

  • Privileged User Account Created
  • Privileged User Account Deleted
  • Privileged User Account Disabled
  • Privileged User Account Enabled
  • Privileged User Account Locked
  • Privileged User Account Locked Multiple Times
  • Privilege User Account Modification
  • Privileged User Account Unlocked
  • User Account Added to the Privileged Group
  • User Account Removed from the Privileged Group

Terminated User Accounts

  • Terminated User Account - Privilege Escalation Detected
  • Terminated User Account - Successful Login Detected

Other User Stories for Linux Device Only

  • Access to audit control
  • Access to audit.conf
  • Modification of audit logs
  • Creation or modification of SSH keys
  • Modification of iptables
  • Unrestricted account context creation
  • Modification of existing audit rules
  • Modification of ebtables from user space
  • Single user mode access
  • SELinux disabled
  • SELinux changes
  • Firewall disabled
  • Linux capabilities mode modifications
  • Modifications to grub.conf
  • Modprobe configuration changes
  • Kernel replacement
  • Ipsec.conf changes
  • Ipsec.d changes
  • Ipsec.secrets changes
  • Configuring a trusted channel (stunnel)
  • Aide modifications (requires aide package installation)
  • Cron modifications
  • PAM Security Modules modifications
  • Sshd modifications
  • AVC Messages

Supported Log Sources

Here are the log source types supported by this package as delivered:
Vendor Product Version(s) Comments
Unix Unix deviceVersion from Syslog header  
Unix auditd deviceVersion from Syslog header  

Linux Red Hat Device Configuration Guide

PLinuxOSLoggingInstallation describes how to configure the Linux hosts for this package.

Linux Syslog SmartConnector Installation

PLinuxOSConnectorInstallation describes how to install the SmartConnector for this package.

Note: This package works with ArcSight Smartconnectors from 7.6.4 to 7.8.1. Supported parser overrides are included in the package bundle from the Marketplace.

P-Linux Package Download Instructions

The latest P-Linux package can be downloaded from the ArcSight Marketplace.

Package Installation

Prerequisites

  • Ensure that Activate Base package version 2.5.1 or newer is installed (required package)
  • ESM 6.8c or newer
  • Support RHEL 6.5 or newer
  • Open ESM server.properties (at <ARCSIGHT_HOME>)\manager\config)
  • Add following line: export.archive.reference.sort.order=id
  • For ESM in Compact Mode: Restart the ESM Manager

    or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Installation Procedure

1. Download and extract the P-Linux_<version>.zip Package into your ArcSight console's home directory.
P-Linux1.2-files.png

2. Open a command prompt and navigate to the <ARCSIGHT_HOME>\current directory for your console.

3. For Windows, execute the P-Linux_<version>.bat file to install the package

4. For Linux, execute the P-Linux_<version>.sh. Make sure file has execute permissions $chmod u+x filename
5. You will be prompted to enter the manager hostname, port, username and password. The password is displayed in cleartext, please be aware of your environment.


PLinux_bat_installation.png


6. After the update, your packages in ArcSight ESM will look like the screenshot to the right.

If you run into any issues, the errors will be displayed in the command prompt window.

Linux_packages.png


7. You can now delete the files from <ARCSIGHT_HOME>\current
  • P-Linux_<version>.arb
  • P-Linux_Updated_<version>.arb
  • P-Linux_<version>.bat
P-Linux-Installcomplete.png

8. The package requires specific logging configuration changes on the Linux hosts and parser overrides on the connectors receiving the events. If you have not yet done this, follow the instructions on the pages PLinuxOSLoggingInstallation and PLinuxOSConnectorInstallation.

Package Configuration for Solution Packages

L1-Host Monitoring - Indicators and Warnings

1. Filter Configuration

At the L1 Host Monitoring Indicators and Warnings level, a minimum configuration is required for integrating your product filters with the filter such as 'Host Shutdown', 'Host Started', 'Service Stopped', and 'Service Started' from Host Monitoring package accordingly.

As a guideline, please follow the below procedure to configure the product filters with these above 4 filters. The following example demonstrates how to configure multiple product filters with a 'Host Shutdown' filter.
  • Edit the filter "/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Shutdown
  • The default L1 'Host Shutdown' filter condition is set as 'False'
defaultFilter.PNG
  • Use 'AND (&)' operator if one filter is selected, or use 'OR (II)' operator if more than one filters from multiple products
  • Click 'Filters' icon, and select the filter from P-Linux Product package
Note: two Filters are selected from P-Linux and P-Microsoft Windows packages in this case.

2. Below product filters have to be configured with filters for triggering L1-Host Monitoring - Indicators and Warnings rules:
Filter URI in L1 Host Monitoring URI in P-Linux
Host Shutdown
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Shutdown
/All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Linux Auditd System Shutdown
Host Started
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Started
/All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Linux Auditd System Boot
Service Stopped
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Stopped
/All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Service Activities RHEL 7x/Linux Auditd Service Stopped
Service Failed
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Errors/Service Failed
/All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Service Activities RHEL 7x/Linux Auditd Service Failed
Service Started
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Started
/All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Service Activities RHEL 7x/Linux Auditd Service Started
The P-Linux package has been tested end-to-end with above filters in L1-Host Monitoring package. However, it all depends on the particular Linux distribution and the service management daemon that comes with it. Service Starts/Stops events in the prior RHEL 7.1 are not consistently collected by syslogd. Customer needs to define the event filter condition based on their own system OS version properly.

L1-Entity Monitoring - Indicators and Warnings

At the L1 Entity Monitoring Indicators and Warnings level, a minimum configuration is required for integrating your product filters with the Entity Authentication and Entity Management filters accordingly.

As a guideline, please follow the below procedure to configure the product filters with the filters from L1-Entity Monitoring package. The following example demonstrates how to configure multiple product filters with a 'User Account Deleted' filter.
  • Edit the filter "/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/System Changes/User Account Deleted
  • The default L1 'User Account Deleted' filter condition is set as 'False'
UserAccountDeleted-1.PNG
  • Use 'AND (&)' operator if one filter is selected, or use 'OR (II)' operator if more than one filters from multiple products.
  • Click 'Filters' icon, and select the filter from P-Linux Product package
Notes:
  • Two Filters are selected from P-Linux and P-Microsoft Windows packages in this case.
  • The same procedure could be followed for the rest of filters as needed
  • The Rule of 'User Account Deleted' in L1 Entity Monitoring Indicators and Warnings package will apply the customized filter without doing any further configuration change
UserDeleted.PNG


2. Below product filters have to be configured with filters for triggering L1-Entity Monitoring - Indicators and Warnings rules.
L1 Filter URI in L1 Entity Monitoring URI in P-Linux
User Account Logoff
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logoff
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Authentication/Linux All Successful Logoffs
User Account Logon
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Authentication/Linux All Successful Logons
User Account Logon Failure
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Authentication/Linux Auditd User Account Logon Failure
User Account Locked
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Locked
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux User Account Lockout
User Account Created
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Created
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux User Account Created
User Account Deleted
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Deleted
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux User Account Deleted
User Account Disabled
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Disabled
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux User Account Disabled by Admin
User Account Modification
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Modification
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux Auditd User Account Modification
User Account Unlocked
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Unlocked
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux Auditd User Account Unlocked with pam_tally2
For Linux 1.1
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/Entity Management/Linux Auditd User Account Unlocked by Admin

Package Uninstallation Procedure

NOTE : When Uninstalling this product package, make sure you remove any filter configurations made on L1 Packages to AVOID ANY BROKEN RESOURCES that depend on the P-Linux resources ( filters ).

1. In Navigation Pane under Packages tab, right click on P-Linux package.

2. Select "Delete Package".
P-Linux-uninstall-1a.png
3. Click "Delete". P-Linux-Uninstall-2a.png
4. Select "Delete Resources" then Click "OK". P-Linux-Uninstall-3a.png
5. Click "OK". P-Linux-Uninstall-4a.png
7. Check to ensure the package has been removed from console.

Test Plan

PLinuxOsTestPlan provides a methodology for testing this package.

Extensibility

Rule Groups

Host Activity

Host Administration

Suspicious OS Activities

Entity Authentication

Entity Administration

Future Use Cases

  1. Modification to rsyslog.conf
  2. Software results in seg fault
  3. Kernel Module insertion
  4. Xinetd modification
  5. Postfix Mods
  6. Disk mounts
  7. Syscall
  8. Modification to startup scripts
  9. Network-Scripts Mod
  10. Identify auditrp anomalies (requires flex connector and auditrp configuration)
  11. Invalid Security Label
  12. Kernel panic audit

Resources

The PLinuxOSResources page contains a table of all resources included in this package:

Topic attachments
I Attachment Action Size Date Who Comment
01_Import.pngpng 01_Import.png manage 13.6 K 24 May 2016 - 19:01 JanStodola  
02_Open.pngpng 02_Open.png manage 71.0 K 24 May 2016 - 19:02 JanStodola  
03_PackagesForInstallation.pngpng 03_PackagesForInstallation.png manage 57.3 K 24 May 2016 - 19:02 JanStodola  
04_InstallingPackages.pngpng 04_InstallingPackages.png manage 65.5 K 24 May 2016 - 19:03 JanStodola  
05_PackagesTree.pngpng 05_PackagesTree.png manage 35.7 K 24 May 2016 - 19:03 JanStodola  
06_Delete.pngpng 06_Delete.png manage 27.0 K 24 May 2016 - 19:04 JanStodola  
07_DeleteResources.pngpng 07_DeleteResources.png manage 23.2 K 24 May 2016 - 19:04 JanStodola  
08_UninstallPackage.pngpng 08_UninstallPackage.png manage 41.6 K 24 May 2016 - 19:04 JanStodola  
09_Results.pngpng 09_Results.png manage 42.9 K 24 May 2016 - 19:04 JanStodola  
10_NoPackage.pngpng 10_NoPackage.png manage 27.9 K 24 May 2016 - 19:04 JanStodola  
DeletePackage.PNGPNG DeletePackage.PNG manage 70.8 K 10 Mar 2017 - 23:21 NellieWang  
For_L1_UserDeleted_Filters.PNGPNG For_L1_UserDeleted_Filters.PNG manage 109.7 K 07 Feb 2017 - 21:55 NellieWang  
LinuxInstall-1.PNGPNG LinuxInstall-1.PNG manage 6.9 K 15 Dec 2016 - 21:02 NellieWang  
LinuxInstall-2.PNGPNG LinuxInstall-2.PNG manage 22.9 K 15 Dec 2016 - 21:05 NellieWang  
LinuxInstall-3.PNGPNG LinuxInstall-3.PNG manage 1.3 K 15 Dec 2016 - 21:08 NellieWang  
LinuxInstall-5.PNGPNG LinuxInstall-5.PNG manage 2.4 K 16 Dec 2016 - 22:50 NellieWang  
LinuxInstall-new.PNGPNG LinuxInstall-new.PNG manage 18.0 K 16 Dec 2016 - 22:46 NellieWang  
LinuxInstall.PNGPNG LinuxInstall.PNG manage 18.0 K 16 Dec 2016 - 22:45 NellieWang  
LinuxUninstall-2.PNGPNG LinuxUninstall-2.PNG manage 44.0 K 15 Dec 2016 - 21:31 NellieWang  
LinuxUninstall-3.PNGPNG LinuxUninstall-3.PNG manage 42.4 K 15 Dec 2016 - 21:34 NellieWang  
LinuxUninstall-4.PNGPNG LinuxUninstall-4.PNG manage 40.3 K 15 Dec 2016 - 21:34 NellieWang  
LinuxUninstall.PNGPNG LinuxUninstall.PNG manage 69.4 K 15 Dec 2016 - 21:29 NellieWang  
Linux_packages.pngpng Linux_packages.png manage 3.3 K 20 Mar 2018 - 19:34 BeirneKonarski Packages in ESM console after installation
P-Linux-Installcomplete.pngpng P-Linux-Installcomplete.png manage 17.4 K 29 Sep 2017 - 19:14 SeemaKhan Batch install complete
P-Linux-Uninstall-2a.pngpng P-Linux-Uninstall-2a.png manage 14.2 K 19 Oct 2017 - 18:36 SeemaKhan Uninstall confirm
P-Linux-Uninstall-3a.pngpng P-Linux-Uninstall-3a.png manage 16.4 K 19 Oct 2017 - 18:37 SeemaKhan  
P-Linux-Uninstall-4a.pngpng P-Linux-Uninstall-4a.png manage 17.5 K 19 Oct 2017 - 18:37 SeemaKhan  
P-Linux-batchinstalld.pngpng P-Linux-batchinstalld.png manage 34.7 K 29 Sep 2017 - 19:14 SeemaKhan Batch Install
P-Linux-shell-Install.pngpng P-Linux-shell-Install.png manage 28.8 K 03 Nov 2017 - 17:17 SeemaKhan Shell installation
P-Linux-uninstall-1a.pngpng P-Linux-uninstall-1a.png manage 25.5 K 19 Oct 2017 - 18:36 SeemaKhan Uninstall pkg
P-Linux1.2-Console.pngpng P-Linux1.2-Console.png manage 16.1 K 29 Sep 2017 - 19:31 SeemaKhan Linux1.2 console
P-Linux1.2-files.pngpng P-Linux1.2-files.png manage 11.2 K 29 Sep 2017 - 19:14 SeemaKhan Linux Install files
PLinux_bat_installation.pngpng PLinux_bat_installation.png manage 34.9 K 20 Mar 2018 - 19:31 BeirneKonarski Screen capture of the start of the P-Linux installation with a bat file.
Product-L1_FilterConfig.PNGPNG Product-L1_FilterConfig.PNG manage 328.4 K 14 Oct 2016 - 18:48 NellieWang  
RealHostMonitoringEvents.zipzip RealHostMonitoringEvents.zip manage 12.1 K 15 Mar 2017 - 18:58 NellieWang Events for testing Host Monitoring package
ReplayFiles.zipzip ReplayFiles.zip manage 1432.1 K 03 Mar 2017 - 00:32 NellieWang Linux replay events for RHEL 6.x and 7.x
UserAccountChanged.PNGPNG UserAccountChanged.PNG manage 10.1 K 16 Dec 2016 - 23:19 NellieWang  
UserAccountDeleted-1.PNGPNG UserAccountDeleted-1.PNG manage 10.7 K 16 Dec 2016 - 23:27 NellieWang  
UserAccountDeleted-2.PNGPNG UserAccountDeleted-2.PNG manage 85.4 K 16 Dec 2016 - 23:31 NellieWang  
UserAccountDeleted-3.PNGPNG UserAccountDeleted-3.PNG manage 36.4 K 16 Dec 2016 - 23:56 NellieWang  
UserDeleted.PNGPNG UserDeleted.PNG manage 53.0 K 01 Mar 2017 - 00:37 NellieWang  
addconn.JPGJPG addconn.JPG manage 16.8 K 25 May 2016 - 15:28 DonaldChapell  
addconn2.JPGJPG addconn2.JPG manage 44.7 K 25 May 2016 - 15:34 DonaldChapell  
addconn3.JPGJPG addconn3.JPG manage 18.0 K 25 May 2016 - 15:38 DonaldChapell  
linux_auditd_override_20170419.zipzip linux_auditd_override_20170419.zip manage 16.7 K 02 Oct 2017 - 20:35 SeemaKhan Linux1.2 parser override
Topic revision: r57 - 25 May 2018, BeirneKonarski


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback