Wikis - Page

Access Manager Auditing over UDP and TLS

1 Likes

Introduction

Access Manager supports audit logging using Sentinel server,  third-party Syslog server, or Analytics Server. This solution is more around sending audit events to a remote Syslog server. On Linux, when Syslog is selected for auditing, the required configurations like remote Syslog server's IP address and listening port are automatically pushed to Identity Provider (IDP), Access Gateway (AG), and Administration Console (AC). Currently, the communication between the Access Manager component and the remote server happens over TCP protocol. To cope with situations where better security is the ask or when non-reliable delivery of audit logs is also acceptable, Syslog (rsyslog) provides support for both. In the following section, I will describe how to send audit logs using UDP and TLS over TCP protocol.  

Steps to follow:

Please follow the documentation of Access manager Auditing section and set the remote syslog server's IP and port. Corresponding configuration gets updated to /etc/rsyslog.d/nam.conf file in AC, IDP and AG. 

Sample nam.conf file:

$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290 $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n" local0.* @@172.16.50.50:1468;ForwardFormat

This enables local rsyslog agent listening on tcp port 1290  and forward the audit message to remote server 172.16.50.50 communicating with tcp port 1468.

Make sure to edit /etc/Auditlogging.cfg of AC, IDP, and AG and set both SERVERIP and SERVERPORT macro as empty.

Sample Auditlogging.cfg file:

LOGDEST=syslog
FORMAT=JSON
SERVERIP=
SERVERPORT=

Restart corresponding services with command as follows:

AC: /etc/init.d/novell-ac restart

AG: /etc/init.d/novell-mag restart.

IDP: /etc/init.d/novell-idp restart.

For the Syslog agent (client)  to send logs to a remote server using UDP or TLS over TCP, rsyslog provides different options and macros.

UDP configurations

1. Load required module for rsyslog to send messages via UDP, edit nam.conf

$ModLoad imudp

2. Use single @ character in front of the remote host to send messages over UDP. For TCP, double @ character is used.  So nam.conf would look like:

$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
$ModLoad imudp
local0.* @164.100.150.10:1468;ForwardFormat

 Here audit logs are being forwarded to remote server 164.100.150.10 and port 1468 using UDP.

3. Restart rsyslog service.

TLS over TCP configuration

For TLS to work, keys and certificates are required.  Each of IDP, AG, and AC system should have private key, public key certificate, it's root CA certificate, and CA certificate of the remote Syslog server. There are various tools available for generating required key files and certificates like OpenSSL, GnuTLS, Let's Encrypt, etc. Access Manager's admin console can also be used to create the same.

It is very important to note to use the DNS name or IP address of the system (IDP/AG/AC) while setting the subject or common name (CN) of its public certificate. The CA certificate needs to be distributed to remote server and vice versa. 

Following are the macros to be used in IDP/AG/AC (working as syslog client)  for the setting up TLS communication :

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile <filepath of peer's CA certificate>
$DefaultNetstreamDriverCertFile <filepath of own public key certificate>
$DefaultNetstreamDriverKeyFile <filepath of own private key>
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name #Authentication mode to be used during TLS  handshake
 
So nam.conf would look like:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /var/opt/novell/novlwww/server_CA.pem
$DefaultNetstreamDriverCertFile /var/opt/novell/novlwww/client_Cert.pem
$DefaultNetstreamDriverKeyFile /var/opt/novell/novlwww/client_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@164.100.150.10:1468;ForwardFormat

Restart rsyslog service.

Administration Console (AC) as remote Syslog server

It is possible to configure AC as a remote Audit server for syslog and by default, audit logs are sent to /var/log/NAM_Audits.log.  AC to accept logs over UDP and TLS over TCP, rsyslog provides different options and macros.

UDP configuration

1. To load required module for rsyslog to receive messages via UDP edit nam.conf of AC working as remote Syslog server file.

$ModLoad imudp # load UDP module $UDPServerRun <port number> # UDP connection port

 2. Restart rsyslog service.

TLS over TCP configuration

1. Add following macros to nam.conf of AC working as remote Syslog server file.

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile <peer's CA certificate filepath>
$DefaultNetstreamDriverCertFile <public key certifcate filepath>
$DefaultNetstreamDriverKeyFile <private key file>
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer <permitted peer ID>
 
Use peer's DNS name, IP address used in peer's public certificate. e.g 

Single peer: InputTCPServerStreamDriverPermittedPeer ”127.0.0.1”

Array of peers: InputTCPServerStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]

So nam.conf would look like:

$DefaultNetstreamDriverCAFile /tmp/client_CA.pem
$DefaultNetstreamDriverCertFile /tmp/server_Cert.pem
$DefaultNetstreamDriverKeyFile /tmp/Server_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 164.100.150.10
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* -/var/log/NAM_audits.log;ForwardFormat

2. Restart rsyslog service.

Debugging

There are macros available for debugging rsyslog. Following macros can be used to debug rsyslog when messages are not being sent or received.

$DebugLevel <level>  #1,2,3 can be used
$DebugFile <debug log file path>
 
Debug logs are dumped into the file path mentioned in $DebugFile as well as /var/log/messages
 

To restart rsyslog, run the following commands:

  • For SLES 11 SP4: rcrsyslog restart

  • For SLES 12 SP2: rcsyslog restart

  • For RHEL 6.9: service rsyslog restart

  • For RHEL 7.4: systemctl restart rsyslog.service

References:

Tags:

Labels:

How To-Best Practice
Comment List
Related
Recommended