Hi,
I have a question regarding auditing IPFire. One of the tools I use on other systems is auditd. Is there an alternative in IPFire or a plan to integrate it?
Thanks in advance for any answers.
Hi Martin,
Normally I would point you to the wiki section for building your own addons.
For this case that won’t work. auditd is the userspace component but it requires access to the kernel for information.
The kernel module AUDIT is required to work with auditd and CONFIG_AUDIT is not set in the IPFIre x86_64 & i586 systems. This means that the module is not installed and is not available to be loaded for use.
Hi Adolf,
Thank you for your answer. So this sounds more like something that needs to go into the core, right? Is this something you would consider? And if not what are the alternatives of getting a quick audit of my system?
Thanks for any help.
Hi Martin,
That is a question for one of the core devs to answer really. Having read that the Linux Audit System is quite resource hungry, I am not sure that they will look favourably on implementing it in the core.
Reading about it seems to indicate that it is more of a tool finding out what has gone wrong but not doing anything to stop it, just record it.
The Suricata capability that is already in IPFire gives both an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). This looks to identify if abnormal events etc are occurring but you can also enable the IPS option so it prevents those actions taking place, rather than just detecting them.
1 Like
Hi Adolf,
Thank you for your thoughts. Yes auditd is indeed a tool to notify administrators without stopping it.
I have the IPS running. However, I don’t really see an option to notify me in case anything goes wrong. Did I miss that?
Maybe also installing the nagios-plugin will also give a lot of information that auditd would also give. Haven’t tried this yet though.
And this script: wiki.ipfire.org - System Status via eMail also seems to be a good start.
Just trying to figure out which setup, hardening, optimization is the test. Thanks for any help.
Hi Martin,
For notifying then IPS does not do that. It just logs the activities it has blocked.
The Nagios NRPE addon is one of several monitoring addons that can be used to monitor a variety of functions and record and analyse the data in a remote system.
Another option is to set up the remote logging so your logs are provided to another system on your local network where you can then analyse the data and make whatever decisions, communications you want to.
For hardening/security then changing the default outgoing policy from allowed to blocked and creating firewall rules for any accesses required from your pc’s to the outside world is definitely something to consider if not yet done.
This link to an IPFire blog article on this subject is well worth reading.
https://blog.ipfire.org/post/firewall-configuration-recommendations-for-ipfire-users
That blog article is one of a series. The following link is for the last one in that series which also includes links in it for each of the other articles.
https://blog.ipfire.org/post/beyond-the-far-side-thoughts-on-secure-and-private-machines-behind-ipfire
Hope this helps.
2 Likes
Hi Adolf,
Thank you so much for posting these great articles.
I will look into the other options you proposed as well.
Thanks again