Information
Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:
- sethostname - set the systems host name
- setdomainname - set the systems domain name
The files being monitored are:
- /etc/issue and /etc/issue.net - messages displayed pre-login
- /etc/hosts - file containing host names and associated IP addresses
- /etc/networks - symbolic names for networks
- /etc/network/ - directory containing network interface scripts and configurations files
- /etc/netplan/ - central location for YAML networking configurations files
Monitoring system events that change network environments, such as sethostname and setdomainname helps identify unauthorized alterations to host and domain names, which could compromise security settings reliant on these names. Changes to /etc/hosts can signal unauthorized attempts to alter machine associations with IP addresses, potentially redirecting users and processes to unintended destinations. Surveillance of /etc/issue and /etc/issue.net is crucial to detect intruders inserting false information to deceive users. Monitoring /etc/network/ reveals modifications to network interfaces or scripts that may jeopardize system availability or security. Additionally, tracking changes in the /etc/netplan/ directory ensures swift detection of unauthorized adjustments to network configurations. All audit records should be appropriately tagged for relevance
Solution
Create audit rules
Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor events that modify the system's network environment.
Example:
# printf "
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/networks -p wa -k system-locale
-w /etc/network/ -p wa -k system-locale
-w /etc/netplan/ -p wa -k system-locale
" >> /etc/audit/rules.d/50-system_locale.rules
Load audit rules
Merge and load the rules into active configuration:
# augenrules --load
Check if reboot is required.
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules
"; fi