GPG-13 Deployment Guide – Configure the Compliance Module

LogRhythm requires that you configure some objects included in the GPG-13 Advanced Compliance Automation Suite. This section describes the steps you must perform.

Intelligent Indexing

Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.

Populate Lists

The GPG-13 Advanced Compliance Lists must be populated with the data you collected before installing the module. Complete the following sections to populate all required lists.

Populate Log Source Lists

Open the LogRhythm Console and click List Manager.
Right-click the name of a GPG-13 Log Source List, and then click Properties.
To view the log sources selector, click Add Item.
Search for and select all log sources that you want, and then click OK.
To save the list, click OK.
Repeat this process (steps 1-5) for all GPG-13 Log Source Lists from your checklist.

Some Log Sources may be in multiple Log Source Lists depending on their usage. For example, a Windows 2008 Server may be a Server and Workstation Log Source, but if it were deployed as a bastion host at the security perimeter, it could also be a part of the Security Systems Log Sources.

Populate Users Lists

Open the LogRhythm Console and click List Manager.
Right-click the name for a GPG-13 Users List, and then click Properties.
Select the Username for the Item Type.
Type in the username in the Add Item field.
Click Add Item to add the username.
Repeat steps 4-5 to for all usernames.
To save the list, click OK.
Repeat this process (steps 1-7) for all GPG-13 Users Lists.

Activate and Configure AIE Rules

All AIE Rules included in the GPG-13 Compliance Automation Suite are disabled by default. Due to variability found in different networks, you will probably need to tune these rules for optimal performance within your environment. Tuning and configuration notes for certain rules can be found in their Properties under the Information tab. Your LogRhythm Professional Services Engineer can also provide assistance with tuning AI Engine rules for your environment.

Open the LogRhythm Console and click Deployment Manager.
Click the AI Engine tab.
Select all the GPG-13 AIE rules.
Right-click the AI Engine Rule Manager, click Actions, and then click Enable.

All alarming AIE Rules included in the GPG-13 Compliance Automation Suite have alarming disabled by default.

Open the LogRhythm Console and click Deployment Manager.
Click the AI Engine tab.
Select all the GPG-13 AIE rules that are configured to alarm.
Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

All alarming AIE Rules included in the GPG-13 Compliance Automation Suite must be configured for notifications.

Open the LogRhythm Console and click Deployment Manager.
Click the AI Engine tab.
Select each of the GPG-13 AIE rules that are configured to alarm and notify.
Right-click the AI Engine Rule Manager, click Actions, and then click Batch Notification Editor.
Select all the roles, individuals, or groups to be notified, and then click OK to save the notifications.
Repeat Steps 2-5 for all alarming GPG-13 AIE Rules that share notification personnel.
On the top of the AI Engine Rule Manager, click Restart AIE Engine Servers.

Configure Enhanced Report & Alert Configuration

The following reports and log sources may require enhanced configuration and assistance from LogRhythm Professional Services (ProServ). The organization should use ProServ to assist in establishing necessary log sources and other parameters to be defined according to the customer’s environment.

PMC1.4 [C] - GPG-13: High Integrity Transaction Report

Transactions having a high integrity requirement should be identified by the customer. LogRhythm applies time stamping to all collected logs, and the LogRhythm Mediator Server service which is responsible for archiving specified log data to the LogRhythm Archives, protects the integrity of LogRhythm archives during their various stages of processing through file attribute monitoring and SHA1 hashing.

In an environment requiring a hash of the transaction itself time-stamped, digitally signed, and retained, it would be necessary for the customer to deploy third-party software capable of performing these functions and sending logs of this activity to the LogRhythm platform. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC2.4 [B], PMC2.5 [B] - GPG-13: Blocked File Import/Export Attempt

Typically this control objective relates to a bespoke configuration and is dependent on the customer to identify what is considered a blocked file import/export from their device being logged. Customers will likely be required to work with the ProServ team to make sure the correct log type and any custom configurations are established

PMC2.6 [C], PMC2.7 [C] - Blocked File Import/Export Attempt with Content

Where the need to retain file content in support of requirements 2.4 and 2.5 is identified, the content retention should be performed by the solution that blocked the file import or export across the boundary, or by some other third-party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC2.11 [D], PMC2.12 [D] - File Import/Export Content

Where the need to retain file content in support of requirements 2.9 and 2.10 is identified, the content retention should be performed by the solution that allows file import or export across the boundary, or by some other third-party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

LogRhythm’s Network Monitor appliance may be deployed in support of this requirement. This appliance has the capability to perform full session packet capture, and the file content may be retrieved from the stored pcap files. Should this be of interest please discuss with your LogRhythm Account Manager.

PMC2.13 [D] – File Import/Export Content

Where the need to retain file content in support of this requirement is identified, the content retention should be performed by the transfer cache solution, or by some other third-party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

LogRhythm’s Network Monitor appliance may be deployed in support of this requirement. This appliance has the capability to perform full session packet capture, and the file content may be retrieved from the stored pcap files. Should this be of interest please discuss with your LogRhythm Account Manager.

PMC2.14 [D] - GPG-13: Access to File Transfer Cache Folder

Where the need to track access of files in support of this requirement is identified, the technology providing the transfer cache needs to be identified, and appropriate logging and monitoring configured. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC3.13 [C] - Full Packet Capture of Packet Dropped at Boundary

Where the need to perform full packet capture as an enhancement to requirement 3.1 is identified, the capture should be performed by the solution that dropped the packets at the boundary, or by some other third party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

LogRhythm’s Network Monitor appliance may be deployed in support of this requirement. This appliance has the capability to perform full session packet capture. Should this be of interest please discuss with your LogRhythm Account Manager.

PMC3.14 [D] - IPS Command and Response

To address the control objective there is reliance placed on the customer’s IPS to record or log actions taken by the IPS in response to incidents. If the customer’s IPS does log responses to incidents, it is recommended that they work with ProServ to establish the feed, apply parsing rules and configure reports and alerts accordingly.

PMC4.5 [B], PMC4.6 [B], PMC4.9 [B], PMC4.10 [B] – Advanced Linux Auditing

Several PMCs in the GPG-13 Advanced Compliance Suite require the use of the Linux Audit Daemon and a custom auditing rule set. The PMCs that require the Linux Audit Daemon are as follows:

PMC 4.5 – Failed file system access activity.
PMC 4.6 – Permission changes on system files/folders.
PMC 4.9 – Storage volume status changes (mounts and unmounts).
PMC 4.10 – Linux package manager usage.

PMC4.17 [D] - File Monitoring Event - File Changes with File Content

Where the need to include the contents of changes to files as an enhancement to requirement 4.11 is identified, a third-party solution will be required to retain the before and after content. Any such solution should be capable of generating logs which should contain the location of the before and after file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC4.18 [D] - Changes to System Configuration on Monitored Hosts

Where the need to include the contents of changes to configuration settings as an enhancement to requirement 4.13 is identified, a third-party solution will be required to retain the before and after content. Any such solution should be capable of generating logs which should contain the location of the before and after file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC5.11 [C] - Packet Dropped at Internal Boundary with Full Packet Capture

Where the need to perform full packet capture as an enhancement to requirement 5.1 is identified, the capture should be performed by the solution that dropped the packets at the internal firewall, or by some other third-party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

LogRhythm’s Network Monitor appliance may be deployed in support of this requirement. This appliance has the capability to perform full session packet capture. Should this be of interest please discuss with your LogRhythm Account Manager.

PMC5.15 - Packet Passed at Internal Boundary with Full Packet Capture

Where the need to perform full packet capture as an enhancement to requirement 5.10 is identified, the capture should be performed by the solution that passed the packets at the internal firewall, or by some other third-party solution. Any such solution should be capable of generating logs which should contain the location of the file content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

PMC7.7 – Accountable User Transactions

As this control is dependent on the customer defining ‘accountable user transactions’ within their environment, customers should work with LogRhythm Professional Services to gather this information and design appropriate queries to facilitate this and control enhancement PMC7.12.

PMC7.12 – Transaction Auditing Solution

Where the need to include the transaction content as an enhancement to requirement 7.7 is identified, a third-party solution will be required to include the transaction content. Any such solution should be capable of generating logs which should contain the location of the transaction content. Consuming these logs would require the engagement of LogRhythm Professional Services. Please contact your LogRhythm Account Manager should this be required.

Configure and Set Up Advanced Linux Auditing

Several PMCs in the GPG-13 Advanced Compliance Suite require the use of the Linux Audit Daemon and a custom auditing rule set.

The PMCs that require the Linux Audit Daemon are as follows:

PMC 4.5 – Failed file system access activity.
PMC 4.6 – Permission changes on system files/folders.
PMC 4.9 – Storage volume status changes (mounts and unmounts).
PMC 4.10 – Linux package manager usage.

Setup Steps

Ensure that the Linux Audit Daemon (audited) has been installed.

The Linux Audit Daemon must be installed on the end Linux platform to be audited. This is usually installed by default in most distributions. The configuration directory should be accessible at the path “/etc/audit/”.

Install the LogRhythm GPG13 audit.rules template file.

LogRhythm has created a sample audit.rules file which can be used as a template. This file is normally installed under “/etc/audit/audit.rules”, however, the path may vary depending on configuration and platform.

Customize the audit rule set.

Customize the audit.rules file to fit the environment. The sample configuration that has been provided should be treated as a template. Additional customization may be required depending on environment. Specifically customization of PMC 4.6 & 4.10 audit rules may be required to ensure that all of the relevant system file locations, and package manager binaries are audited.

Configure syslog forwarding to LogRhythm.

Configure syslog forwarding into LogRhythm of the Audit Daemon output file -/var/log/audit/audit.log”. The syslog daemon on the host should be configured to forward the audit log file into LogRhythm.

LogRhythm Audit.Rules – Sample Configuration for GPG-13

###### LOGRHYTHM AUDIT.RULES SAMPLE CONFIGURATION FOR GPG13 ######

# This file contains the auditctl rules that are loaded

# whenever the audit daemon is started via the initscripts.

# The rules are simply the parameters that would be passed

# to auditctl.

# First rule - delete all

-D

# Increase the buffers to survive stress events.

# Make this bigger for busy systems

-b 320

# Feel free to add below this line. See auditctl man page

#PMC 4.5 - Audit file access permission denied events

-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k fileaccesspermdenied

-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k fileaccesspermdenied

-a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k fileaccesspermdenied

-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k fileaccesspermdenied

#PMC 4.6 - Audit permissions changed to system files/folders

###

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/bin -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/sbin -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/boot -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/lib -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/init.d -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/passwd -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/bin -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/sbin -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/boot -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/lib -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/init.d -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/passwd -k permchangesysdir

#PMC 4.9 - Audit storage volume status changes

-a exit,always -F arch=b64 -S mount -S umount2 -F success=1 -k storagevolstatuschange

-a exit,always -F arch=b32 -S mount -S umount -F success=1 -k storagevolstatuschange

#PMC 4.10 - Audit package manager usage

### Add the path to the unix package manager for your platform ###

-a exit,always -F arch=b64 -S execve -F path=/bin/rpm -F success=1 -k packagemanagerusage

-a exit,always -F arch=b64 -S execve -F path=/usr/bin/yum -F success=1 -k packagemanagerusage

-a exit,always -F arch=b64 -S execve -F path=/usr/bin/apt-get -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/bin/rpm -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/usr/bin/yum -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/usr/bin/apt-get -F success=1 -k packagemanagerusage

Configure LogRhythm Enhanced Auditing

This section aims to describe what auditing to turn on at the LogRhythmEMDB level to ensure that AI Engine Rule Configuration changes can be monitored. It is recommended that you seek the assistance of LogRhythm Professional Services in order to implement Enhanced Auditing. This may be required for example as part of GPG-13 – PMC 9.3

This section only focuses on monitoring changes to AIE rules, and both the processing policy and the UDLA query reflect this. A new log source would probably be required to parse changes to something else, but this would work as a template.

Enhanced Auditing

For additional information, see Audit Data Generation.

Enhanced Auditing is enabled by running the following commands in Query Analyser.

First run the following SQL query to populate the <AuditTableExclusion> table with all of the table-names you do not wish to audit. In this case, that is all tables apart from the dbo.AIERule table. (The query is several pages long, and is tested against 6.2.6 & 6.3.X).

-- First populate the AuditTableExclusion table with the table names

-- of what table's should be excluded from SHADOW auditing

USE LogRhythmEMDB