UNIX Deployment Guide Date Published: 2/8/2021 Securonix Proprietary Statement This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix. The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners. Securonix Copyright Statement This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix. However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix. Copyright © 2020 Securonix. All rights reserved. Contact Information Securonix 5080 Spectrum Drive, Suite 950W Addison, TX 75001 (855) 732-6649 Deployment Guide 2 Table of Contents Introduction 4 About UNIX Security Logs 4 Supported Collection Method 4 Format 4 Functionality 4 UNIX Syslog Configuration 4 Identify the Type of Logger 5 Perform a Communications Test 8 Verify Logs Appear on the RIN 8 Configuration in SNYPR 9 Verify the Job 14 Deployment Guide 3 Introduction Introduction This Deployment Guide provides information on how to configure UNIX to send security logs to SNYPR. About UNIX Security Logs UNIX security logs provide information about activities in the environment and include privilege escalation information and information about high critical commands executed over SSH. Supported Collection Method The collection method is syslog. Format The format is regex. Functionality In SNYPR, resource groups (datasources) are categorized by functionality. The functionality determines what content is available when you import the datasource. For more information about Device Categorization, see the Data Dictionary. The functionality of UNIX is Operating System. UNIX Syslog Configuration Complete the following tasks to configure UNIX Syslog to export events to SNYPR: l Identify the system logger. l Perform an optional test. l Verify logs on the RIN. Deployment Guide 4 UNIX Syslog Configuration Identify the Type of Logger Determine which syslog file UNIX uses to send alerts, then configure UNIX to send logs based on the syslog file type. 1. Log into Unix. 2. From the prompt, execute the following command: ls -d /etc/*syslog* 3. Identify which of the following files displays as the result of the command: l rsyslog.conf l syslog-ng.conf l syslog.conf Configuring UNIX to Send Logs Using rsyslog.conf The rsyslog.conf file is most commonly found on Debian, Fedora, SuSE, Ubuntu, and other Linux distributions. Follow the steps below to configure UNIX for systems using the rsyslog.conf file to send alerts: 1. As root, edit the /etc/rsyslog.conf file with a text editor, such as Vi. 2. Paste the following at the end of the file: *.*@remote_ingester_node_ip:port_no 3. Replace the remote_ingester_node_ip variable with the Remote Ingester Node IP address for your environment. 4. Replace the port_no variable with the UDP Port number in your environment. 5. Save the text file and exit the editor. 6. Based on the type of OS you are using on your RIN, execute one of following com- mands to activate the file change: Deployment Guide 5 UNIX Syslog Configuration 7. If your system is Unbuntu: sudo service rsyslog restart 8. For all other systems using rsyslog.conf: sudo /etc/init.d/rsyslog restart 9. Log messages should begin appearing on Remote Ingester Node (RIN). By default, rsyslog sends messages from the system's hostname. Configuring UNIX to Send Logs Using syslog-ng.conf The syslog-ng file is often used on Gentoo 2005.0+ and SuSE 9.3+ systems. Follow the steps below to configure UNIX for systems using the syslog-ng.conf file to send alerts: 1. As root, edit /etc/syslog-ng.conf with a text editor. 2. In the line that starts with source (For example: source s_sys {..}), identify the name of the source, typically s_sys, src, s_all, or s_local. 3. At the end of the file, paste the following: destination d_securonix { udp("@remote_ingester_node_ip" port(port_no)); }; log { source(s_sys); destination(d_securonix); }; 4. Replace s_sys with the name you identified in step 2. 5. Replace the remote_ingester_node_ip variable with the Remote Ingester IP address for your environment. 6. Replace the port_no variable with the UDP/TCP port number for your envir- onment. Deployment Guide 6 UNIX Syslog Configuration 7. Execute the following command, to tell the system to activate the change: sudo killall -HUP syslog-ng Note: Log messages should now appear on the Remote Ingester Node (RIN). Configuring UNIX to Send Logs Using syslog.conf The syslogd and sysklogd files are often seen on BSDs; CentOS; Gentoo 2004.3 and older systems, Mac, RHEL, Slackware, Solaris, and most other Unices. The remote_syslog2 application can be used in place of syslogd. Some versions of syslog do not support custom ports and must use the default port 514, but modern BSD versions (including macOS) support custom ports. 1. As root, use a text editor to edit /etc/syslog.conf. 2. Paste the following at the end of the file: *.* @remote_ingester_node_ip:port_no 3. Replace the remote_ingester_node_ip variable with the Remote Ingester IP address for your environment. 4. Replace the port_no variable with the UDP/TCP port number for your envir- onment. 5. Execute the following command, to tell the system to activate the change: sudo killall -HUP syslogd Note: Log messages should now appear on the Remote Ingester Node (RIN). Deployment Guide 7 UNIX Syslog Configuration Perform a Communications Test To confirm that messages are being sent and received, execute the following command to generate a test message: logger "Testing Securonix message delivery" Verify Logs Appear on the RIN On the RIN, verify that you are receiving logs. 1. At the prompt on the RIN, execute the following command: tcpdump -i eth0 udp port 514 -v -A 2. Verify that the RIN displays logs similar to the following: Jul 17 06:59:17 portal-checkout-web-api-server-staging-1 systemd[1]: Started Daily apt upgrade and clean activities. Jul 17 06:59:19 portal-checkout-web-api-server-staging-1 consul [2231]: agent.client.serf.lan: serf: EventMemberFailed: delivery-validation-1.securonix.prod 172.31.34.191 Jul 17 06:59:19 portal-checkout-web-api-server-staging-1 consul [2231]: agent.client.serf.lan: serf: EventMemberFailed: delivery-validation-1.securonix.prod 172.31.34.191 Jun 16 01:46:05 SNX1234 goferd: [INFO][pulp.agent.edda7c71- 34a3-474a-bbc6-2c41f9466904] gofer.messaging.adapter.connect:30 - connected: proton+amqps://abc.securonix.com:5647 Deployment Guide 8 Configuration in SNYPR Jun 16 01:46:05 SNX1234 goferd: [INFO][pulp.agent.edda7c71- 34a3-474a-bbc6-2c41f9466904] root:520 - connected to abc.securonix.com:5647 Configuration in SNYPR To configure Unix in SNYPR, complete the following steps: 1. Login to SNYPR. 2. Navigate to Menu > Add Data > Activity. 3. Click + and select Add Data for Existing Device Type. 4. Click the Vendor drop-down and select the following information: l Vendors: UNIX / Red Hat Linux / Oracle Linux / AIX / BSD l Device Type: UNIX l Collection Method: Regex [syslog] 5. Choose an ingester from the drop-down list. Deployment Guide 9 Configuration in SNYPR 6. Click + to add a filter. Deployment Guide 10 Configuration in SNYPR 7. Provide a unique name for the filter. 8. Enter the following syslog filter in the Filter expression box: {host("10.0.0.1");}; Note: IP address is the address of the source host initiating the traffic. 7. Click Add. 8. Complete the following information in the Device Information section: l Datasource Name: UNIX l Specify timezone for activity logs by clicking the drop-down and selecting a timezone. 9. Click Get Preview on the top right of the screen to view the data. 10. Click Get Preview on the top right of the screen to view the data. 11. Click Save & Next until you reach the Identity Attribution page. 12. Click + > Add New Correlation Rule. Deployment Guide 11 Configuration in SNYPR 13. Enter a descriptive name for the correlation rule. 14. Provide the following parameters to create a correlation rule: Deployment Guide 12 Configuration in SNYPR l User Attribute l Operation l Parameter l Condition l Separator Example: User Attribute: firstname | Operation: None | Condition: And | Separator: . (period) + User Attribute: lastname | Operation: None | Condition: And. This correlation rule will correlate users to activity accounts with the format: firstname.lastname. 15. Scroll to the bottom of the screen and click Save. 16. Click Save & Next. 17. Select Do you want to run job Once? in the Job Scheduling Information section. Deployment Guide 13 Configuration in SNYPR 18. Click Save & Run. You will be automatically be directed to the Job Monitor screen. Verify the Job Upon a successful import, the event data will be available for searching in Spotter. To search events in Spotter, complete the following steps: 1. Navigate to Menu > Security Center > Spotter. 2. Verify that the datasource you ingested is listed under the Available Datasources section.