Cryptographic mechanisms protect the integrity of audit tools by ensuring that the data they collect is trustworthy.
What is a cryptographic mechanism and how does it protect audit tools
Most systems constantly run audit tools in the background, system activity such as user logins, file changes and network activity is monitored and recorded. These records are vital to system administrators for compliance, forensic analysis and security monitoring. Using cryptographic mechanisms is vital to the integrity of this data.
In order to reliably conduct audits, audit tool integrity relies on things such as cryptographic mechanisms to confirm that the data they collect remains unaltered and reliable. For example, in Red Hat, auditd daemon and ausearch both record activity for later security monitoring and analysis. These logs are vital in detecting security incidents, responding to incidents, and proving compliance with security standards and regulations.
Benefits of using cryptographic mechanisms
If the integrity of an audit tool is compromised by a hacker, they could alter or erase logs, hiding evidence of unauthorized access or malicious activity.
Cryptographic algorithms certify that the audit data has not been tampered with and are still accurate and trustworthy. There are multiple types of cryptographic mechanisms ranging from basic encryption to hashing and digital signatures.
Each method provides different levels of protection by transforming secure information in ways that make it unreadable or unchangeable to unauthorized users mitigating many vulnerabilities.
How to enable cryptographic mechanisms
Run the following command to determine the absolute path to the non-symlinked version on the audit tools:
# readlink -f /sbin
The output will be either /usr/sbin – OR – /sbin. Ensure the correct path is used.
Edit /etc/aide.conf and add or update the following selection lines replacing <PATH> with the correct path returned in the command above:
# Audit Tools
<PATH>/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
Example
# printf ‘\n%s’ “# Audit Tools” “$(readlink -f /sbin/auditctl)
p+i+n+u+g+s+b+acl+xattrs+sha512″ \
“$(readlink -f /sbin/auditd) p+i+n+u+g+s+b+acl+xattrs+sha512” \
“$(readlink -f /sbin/ausearch) p+i+n+u+g+s+b+acl+xattrs+sha512” \
“$(readlink -f /sbin/aureport) p+i+n+u+g+s+b+acl+xattrs+sha512” \
“$(readlink -f /sbin/autrace) p+i+n+u+g+s+b+acl+xattrs+sha512” \
“$(readlink -f /sbin/augenrules) p+i+n+u+g+s+b+acl+xattrs+sha512” >>
/etc/aide.conf
Note: – IF – /etc/aide.conf includes a @@x_include statement:
Example:
@@x_include /etc/aide.conf.d ^[a-zA-Z0-9_-]+$
- @@x_include FILE
- @@x_include DIRECTORY REGEX
- @x_include is identical to @@include, except that if a config file is executable it is run and the output is used as config.
- If the executable file exits with status greater than zero or writes to stderr aide stops with an error.
- For security reasons DIRECTORY and each executable config file must be owned by the current user and must not be group or world-writable.
MITRE ATT&CK Mappings
Techniques / Subtechniques – T1070, T1070.002, T1083,
T1083.000
Tactics – TA0007
Mitigations
Server hardening and cryptographic mechanisms
Cryptographic mechanisms are vital to server hardening, securing data, confidentiality, integrity, and authenticity, protecting against unauthorized access and tampering. Techniques like encryption, digital signatures, and hashing prevent data breaches and ensure the trustworthiness of updates. By integrating server hardening, organizations strengthen access control and secure communications, crucial for compliance, protecting sensitive information, and defending against cyber threats.
