Cybersecurity
DevOps Cloud
IT Operations Cloud
Access Manager supports audit logging using Sentinel server, third-party Syslog server, or Analytics Server. This solution is more around sending audit events to a remote Syslog server. On Linux, when Syslog is selected for auditing, the required configurations like remote Syslog server's IP address and listening port are automatically pushed to Identity Provider (IDP), Access Gateway (AG), and Administration Console (AC). Currently, the communication between the Access Manager component and the remote server happens over TCP protocol. To cope with situations where better security is the ask or when non-reliable delivery of audit logs is also acceptable, Syslog (rsyslog) provides support for both. In the following section, I will describe how to send audit logs using UDP and TLS over TCP protocol.
Steps to follow:
Please follow the documentation of Access manager Auditing section and set the remote syslog server's IP and port. Corresponding configuration gets updated to /etc/rsyslog.d/nam.conf file in AC, IDP and AG.
Sample nam.conf file:
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290 $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n" local0.* @@172.16.50.50:1468;ForwardFormat
This enables local rsyslog agent listening on tcp port 1290 and forward the audit message to remote server 172.16.50.50 communicating with tcp port 1468.
Make sure to edit /etc/Auditlogging.cfg of AC, IDP, and AG and set both SERVERIP and SERVERPORT macro as empty.
Sample Auditlogging.cfg file:
LOGDEST=syslog FORMAT=JSON SERVERIP= SERVERPORT=
Restart corresponding services with command as follows:
AC: /etc/init.d/novell-ac restart
AG: /etc/init.d/novell-mag restart.
IDP: /etc/init.d/novell-idp restart.
For the Syslog agent (client) to send logs to a remote server using UDP or TLS over TCP, rsyslog provides different options and macros.
1. Load required module for rsyslog to send messages via UDP, edit nam.conf
$ModLoad imudp2. Use single @
character in front of the remote host to send messages over UDP. For TCP, double @
character is used. So nam.conf would look like:
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
$ModLoad imudp
local0.* @164.100.150.10:1468;ForwardFormat
Here audit logs are being forwarded to remote server 164.100.150.10 and port 1468 using UDP.
3. Restart rsyslog service.
For TLS to work, keys and certificates are required. Each of IDP, AG, and AC system should have private key, public key certificate, it's root CA certificate, and CA certificate of the remote Syslog server. There are various tools available for generating required key files and certificates like OpenSSL, GnuTLS, Let's Encrypt, etc. Access Manager's admin console can also be used to create the same.
It is very important to note to use the DNS name or IP address of the system (IDP/AG/AC) while setting the subject or common name (CN) of its public certificate. The CA certificate needs to be distributed to remote server and vice versa.
Following are the macros to be used in IDP/AG/AC (working as syslog client) for the setting up TLS communication :
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /var/opt/novell/novlwww/server_CA.pem
$DefaultNetstreamDriverCertFile /var/opt/novell/novlwww/client_Cert.pem
$DefaultNetstreamDriverKeyFile /var/opt/novell/novlwww/client_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@164.100.150.10:1468;ForwardFormat
Restart rsyslog service.
It is possible to configure AC as a remote Audit server for syslog and by default, audit logs are sent to /var/log/NAM_Audits.log. AC to accept logs over UDP and TLS over TCP, rsyslog provides different options and macros.
1. To load required module for rsyslog to receive messages via UDP edit nam.conf of AC working as remote Syslog server file.
$ModLoad imudp # load UDP module $UDPServerRun <port number> # UDP connection port2. Restart rsyslog service.
1. Add following macros to nam.conf of AC working as remote Syslog server file.
Single peer: InputTCPServerStreamDriverPermittedPeer ”127.0.0.1”
Array of peers: InputTCPServerStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]
So nam.conf would look like:
$DefaultNetstreamDriverCAFile /tmp/client_CA.pem
$DefaultNetstreamDriverCertFile /tmp/server_Cert.pem
$DefaultNetstreamDriverKeyFile /tmp/Server_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 164.100.150.10
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* -/var/log/NAM_audits.log;ForwardFormat
2. Restart rsyslog service.
There are macros available for debugging rsyslog. Following macros can be used to debug rsyslog when messages are not being sent or received.
To restart rsyslog, run the following commands:
For SLES 11 SP4: rcrsyslog restart
For SLES 12 SP2: rcsyslog restart
For RHEL 6.9: service rsyslog restart
For RHEL 7.4: systemctl restart rsyslog.service