Around two weeks ago I deployed some new audit rules to three of our Linux machines with R7 agents for basic testing before deploying them everywhere and enabled FIM in InsightIDR Settings: Insight Agent. I have not been able to use them for testing though because the File Modification Activity has still not shown up under Log Search. Am I missing something here?
Hi,
this logset is dynamically created when the first FIM event is received processed for your account, this means (most likely) there is a misconfiguration on the compatibility mode to audit the FIM events.
I recommend following the steps here to configure Compatibility mode
https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/
And this step to configure FIM auditing
https://docs.rapid7.com/insightidr/fim-for-linux/
Once you do this, can you share the output of
auditctl -l
This should show the directories you are auditing.
Next would be to ensure the agent is not running into any errors relate to the audit config.
If you navigate to
/opt/rapid7/ir_agent/components/insight_agent/common/agent.log
and search for ui_realtime - you should see any related errors.
I’d recommend a support case if you are running into any issues and would like to look at some specific logs/outputs
David
I should have mentioned that yes, we already configured auditd Compatibility Mode for Linux Assets and FIM as documented on the linked pages.
I am including the auditctl -l output from one of our systems below. I realize that it includes much more than InsightIDR cares about but I’d like to be thorough (and I’m also hoping that I can add some queries of the audit logs to try and identify potential issues).
I will start looking through the agent.log files. Thank you!
[root@qa-west ~]# auditctl -l
-a never,user -F subj_type=crond_t
-w /var/log/audit -p rwa -k auditlog
-w /var/audit -p rwa -k auditlog
-w /etc/audit -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp -p wa -k audispconfig
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
-w /usr/sbin/auditd -p x -k audittools
-w /usr/sbin/augenrules -p x -k audittools
-w /usr/sbin/ausearch -p x -k audittools
-w /usr/sbin/aureport -p x -k audittools
-w /usr/sbin/aulast -p x -k audittools
-w /usr/sbin/aulastlogin -p x -k audittools
-w /usr/sbin/auvirt -p x -k audittools
-a never,exit -S all -F subj_type=crond_t
-a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F uid=995 -F subj_type=chronyd_t
-a never,exit -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b64 -S all -F dir=/dev/shm -F key=sharedmemaccess
-a never,exit -F arch=b64 -S all -F path=/opt/filebeat -F key=filebeat
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/sysctl.d -p wa -k sysctl
-a always,exit -S all -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules
-a always,exit -S all -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules
-a always,exit -S all -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules
-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid!=-1 -F key=modules
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d -p wa -k modprobe
-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC
-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount
-a always,exit -S all -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -S all -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap
-w /etc/localtime -p wa -k localtime
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron -p wa -k cron
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -p rwxa -k etcgroup
-w /etc/shadow -p rwxa -k etcpasswd
-w /etc/security/opasswd -p rwxa -k opasswd
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d -p wa -k actions
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications
-a always,exit -F arch=b64 -S connect -F exe=/bin/bash -F success=1 -F key="remote_shell"
-a always,exit -F arch=b64 -S connect -F exe=/usr/bin/bash -F success=1 -F key="remote_shell"
-w /etc/hosts -p wa -k network_modifications
-w /etc/sysconfig/network -p wa -k network_modifications
-w /etc/sysconfig/network-scripts -p w -k network_modifications
-w /etc/network -p wa -k network
-w /etc/NetworkManager/ -p wa -k network_modifications
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
-w /etc/inittab -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/init -p wa -k init
-w /etc/ld.so.conf -p wa -k libpath
-w /etc/ld.so.conf.d -p wa -k libpath
-w /etc/ld.so.preload -p wa -k systemwide_preloads
-w /etc/pam.d -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/limits.d -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.d -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
-w /etc/aliases -p wa -k mail
-w /etc/postfix -p wa -k mail
-w /etc/exim4 -p wa -k mail
-w /etc/ssh/sshd_config -p wa -k sshd
-w /etc/ssh/sshd_config.d -p wa -k sshd
-w /root/.ssh -p wa -k rootkey
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess
-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess
-a always,exit -S all -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -S all -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -S all -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -S all -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-a always,exit -S all -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=-1 -F key=T1078_Valid_Accounts
-w /usr/bin/dbus-send -p x -k dbus_send
-w /usr/bin/gdbus -p x -k gdubs_call
-w /usr/bin/pkexec -p x -k pkexec
-w /etc/firewalld -p w -k firewalld_conf
-a always,exit -F arch=b64 -S execve -F euid=1001 -F key=detect_execve_www
-a always,exit -F arch=b64 -S execve -F euid=1002 -F key=detect_execve_www
-w /usr/local/apache/conf -p w -k apache_conf
-w /usr/local/apache_doc/conf -p w -k apache_doc_conf
-w /etc/my.cnf -p w -k mysql_conf
-w /etc/my.cnf.d -p w -k mysql_conf
-w /etc/maxscale.cnf -p w -k maxscale_conf
-w /etc/maxscale.cnf.d -p w -k maxscale_conf
-w /etc/yum.repos.d -p w -k rpm_repos
-w /etc/profile.d -p wa -k shell_profiles
-w /etc/profile -p wa -k shell_profiles
-w /etc/shells -p wa -k shell_profiles
-w /etc/bashrc -p wa -k shell_profiles
-w /etc/csh.cshrc -p wa -k shell_profiles
-w /etc/csh.login -p wa -k shell_profiles
-w /etc/fish -p wa -k shell_profiles
-w /etc/zsh -p wa -k shell_profiles
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection
-a always,exit -F arch=b64 -S ptrace -F key=tracing
-a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create
-a always,exit -S all -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -F key=power_abuse
-a always,exit -F arch=b64 -S execve -F key=execve
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation
-a always,exit -F arch=b64 -S truncate,rename,chmod,setxattr,lsetxattr,removexattr,lremovexattr,renameat -F exit=-EACCES -F key=file_modification
-a always,exit -F arch=b64 -S truncate,rename,chmod,setxattr,lsetxattr,removexattr,lremovexattr,renameat -F exit=-EPERM -F key=file_modification
-a always,exit -F arch=b32 -S all -F key=32bit_api
-a always,exclude -F msgtype=AVC
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
You might want to double check if the socket /var/run/audispd_events exists.
And if that isn’t present, installing/reinstalling audispd-plugins is recommended
yum install audispd-plugins on RHEL/CENTOS
@mmusgrove I don’t see a line in your auditctl -l output which looks like
-a always,exit -F arch=b64 -S execve -F key=execve32
this is required as per our setup here
https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/
Steps to configure FIM for linux are:
Configure Compatibility Mode
Configure File Auditing
Restart Auditd
Restart the Insight Agent service
David
Thanks @david_smith.
Yes, audispd-plugins has been installed on all of the systems where we’ve attempted to configure FIM.
I’m not sure what happened to my audit rules but the ‘32’ had somehow gotten dropped off of that line. I have corrected it and restarted both auditd and ir_agent. I’ll try to trigger some relevant events.
The correct syntax for the command executions is what I had before:
-a always,exit -F arch=b64 -S execve -F key=execve; however, order does seem to matter for this so when editing the audit.rules we need to ensure that the top of the file matches what is documented at InsightIDR - auditd Compatibility Mode for Linux Assets | Insight Agent Documentation
If your OS uses audispd-plugins and does not have /etc/audisp/audispd.conf ensure that the settings mentioned at InsightIDR - auditd Compatibility Mode for Linux Assets | Insight Agent Documentation are configured in /etc/audit/auditd.conf instead. (q_depth and name_format were different on my systems.)
I’m still debugging but it appears that the rapid7 agent does not like it if you have any additional syscall (-a) rules.