Scribd Logo
Upload

Welcome to Scribd!

  • Guia Configuracion Red Hat

    Uploaded by

    YdaelVargasSalazar
    4 views8 pages

    Original Title

    Guia configuracion Red Hat

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views8 pages

    Guia Configuracion Red Hat

    Uploaded by

    YdaelVargasSalazar

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Linux Página 1 de 8

    You are here: Content Update > Event Sources > Linux > Linux

    https://siem-as1:8443/help/Subsystems/eventsourceupdate/content/devices/html/rhlinu... 17/03/2015
    Linux Página 2 de 8

    Linux
    RSA enVision Event Source
    Last Modified: Saturday, December 6, 2014
    Event Source (Device) Product Information
    Vendor ed t, ove , e n
    Event Source (Device) Linux
    Supported Versions Red Hat Enterprise Linux 3.x, 4.x, 5.x, 6.0, 7.0
    Novell SuSE Linux Enterprise 9, 10, 10.2, 11
    Debian GNU/Linux 3.1, 4.0
    Additional Downloads nicwtmp.sh
    RSA Product Information
    Supported Version RSA enVision 4.1
    Security Analytics 10.0 and later
    Event Source (Device) Type rhlinux, 27
    Collection Method Syslog
    Event Source (Device) Class.Subclass Host.UNIX
    Content 2.0 Table Unix

    This document contains the following information for the Linux event source:
    l on ur t on nstruct ons
    l e e se otes
    l e e se otes
    l e e se otes
    l e e se otes
    l e e se otes
    l e e se otes
    l e e se otes

    Linux Configuration Instructions

    Configure Linux
    Follow the appropriate configuration instructions for your Linux vendor:
    l ove SuSE nu on ur t on nstruct ons
    l t er nu on ur t on nstruct ons

    fI you use Red Hat Linux, you must also perform the following tasks:
    1. on ure ud td on ed t nu .
    2. on ure M o s or ed t nu .
    3. on ure t e t es Serv ce.

    Configure Novell SuSE 10.2


    You can use either UDP or TCP. Follow the appropriate instructions for the protocol that you
    are using.

    https://siem-as1:8443/help/Subsystems/eventsourceupdate/content/devices/html/rhlinu... 17/03/2015
    Linux Página 3 de 8

    Configure DP
    To configure SuSE Linux using DP
    1. On the Linux appliance, log on as root.
    2. Open the etc s s o n s s o n con n file.
    3. At the end of the file, add the following lines:

    # send everything to log host

    destination loghost {

    udp("xxx.xxx.xxx.xxx" port(yy));

    };
    log {

    source(src);

    destination(loghost);

    };

    where:
    ¡ xxx.xxx.xxx.xxx is the IP address of the RSA enVision appliance.
    ¡ yy is the port number on which the enVision appliance is listening for incoming syslog
    messages.

    4. Run the following commands:

    SuSEconfig --module syslog-ng

    /etc/init.d/syslog restart
    ote If you have Novell SuSE 9 or earlier, you must stop
    and start the service by running these commands:

    /etc/init.d/syslog stop
    /etc/init.d/syslog start

    Configure TCP
    You must complete the following tasks to configure Novell SuSE through TCP:
    I. Configure the RSA enVision appliance to accept syslog in TCP packets
    I. Configure SuSE Linux to send syslog in TCP packets

    Configure the RSA enVision appliance to Accept Syslog in TCP Pac ets

    To configure the enVision appliance to accept syslog in TCP pac ets


    1. Log on to RSA enVision appliance .
    2. Select verv e > S ste on ur t on > Serv ces > M n e o ector Serv ce.

    https://siem-as1:8443/help/Subsystems/eventsourceupdate/content/devices/html/rhlinu... 17/03/2015
    Linux Página 4 de 8

    3. On the Manage Collector Service window, click the name of your site or node.
    4. Click the arrow at the end of the n or t on line.
    5. In the sten ort field, enter the port number on which the enVision appliance listens for
    TCP packets.
    6. Click dd.
    7. Enter the IP address of your SuSE event source.
    8. Click .
    9. Click .

    Configure SuSE Linux to send syslog in TCP pac ets

    To configure SuSE Linux 10.2 to send syslog in TCP pac ets


    1. On the Linux machine, log on as root.
    2. Open the etc s s o n s s o n con file.
    3. At the end of the file, add the following lines:

    # send everything to log host

    destination loghost {

    tcp(" . . . " port(yy));

    };

    log {

    source(src);

    destination(loghost);

    };

    where:
    ¡ xxx.xxx.xxx.xxx is the IP address of the enVision appliance .
    ¡ yy is the port number on which the enVision appliance is listening for incoming syslog
    messages.

    4. Run the following commands:

    SuSEconfig --module syslog-ng

    /etc/init.d/syslog start

    Configure ther Linux Versions


    To configure any other Linux version
    1. On the Linux appliance, open the etc s s o con file in a text editor. If you are using
    Redhat Linux 6.0, open etc rs s o con .
    2. To configure the event source to log all messages of debug level and higher to the syslog
    server, add the following line:

    https://siem-as1:8443/help/Subsystems/eventsourceupdate/content/devices/html/rhlinu... 17/03/2015
    Linux Página 5 de 8

    .de ug xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the address for the enVision appliance .


    3. Save the file, and close the text editor.
    4. To restart the syslog service, depending on your version of Linux, run the following
    command:
    ¡ For Redhat Linux 6.0

    service rsyslog restart

    ¡ For other version of Linux

    service syslog restart

    Configure Auditd on Red at Linux


    If you use Red Hat Linux, you must configure Auditd. Perform the steps in the appropriate
    section for your deployment:
    l on ure ud td or ed t nd ter
    l on ure ud td or ed t nd E r er

    Configure Auditd for Red at and Later


    Follow these instructions to configure auditd for versions 5 and later of Red Hat Linux.

    To configure Auditd for Red at and later


    1. Install ud s d u ns.
    2. Open etc ud t ud td con , and change the dispatcher attribute to s n ud s d.
    3. In etc s s o con , verify that all logs are directed to the RSA enVision appliance .
    4. Restart the auditd service.
    5. To ensure that the audit logs are forwarded to the RSA enVision
    appliance, perform the following steps:
    a. In etc ud s u ns d s s o con , verify that all logs are directed
    to the RSA enVision appliance.
    b. Enable audit messages forwarding to syslog by
    editing etc ud s u ns d s s o con and change the active
    no clause to active yes.

    Configure Auditd for Red at and Earlier


    Follow these instructions to configure auditd for versions 4 and earlier of Red Hat Linux.

    To configure Auditd for Red at and earlier


    1. Open etc n t d ud td, and comment out the following lines:
    ¡ Replace line 58,
    daemon prog " E S"
    with:

    https://siem-as1:8443/help/Subsystems/eventsourceupdate/content/devices/html/rhlinu... 17/03/2015
    #daemon prog " E S"
    ¡

    illproc prog

    # illproc prog

    $Home !!!! !

    ipta les status

    ipta les start

    # /s in/ipta les - !!!!!!!!!!!! r!!!!


    !d!!!r!!!!!! - --log-level

    # /s in/ipta les - !!!!!!!!!!!! r!!!!


    !d!!!r!!!!!! - --log-level - log-
    prefi !!y!d!!!r!d!!r!!!x

    ipta les-save

    You might also like