Audit Logging Configuration for Classic Gateway

The Classic Gateway supports audit logging using auditd to meet security, compliance, and forensic requirements. Audit logging enables tracking of authentication activity, configuration changes, privileged command execution, and database login activity.

Audit logging is included by default in Classic Gateway images but is disabled unless explicitly enabled.

Audited Events

When audit logging is enabled on the Classic Gateway, the following events are captured:

Authentication activity

  /var/log/secure

  /var/log/auth.log

Gateway and system configuration changes
Execution of privileged commands
PostgreSQL login-related activity (Classic Gateway only)

Configure Audit Rules on Classic Gateway

1. Monitor Configuration File Modifications

Open the audit rules file for editing:

sudo vi /etc/audit/rules.d/audit.rules

Add rules to audit specific configuration directories:

-w /opt/gateway/ -p wxa -k gatewayconf
-w /etc/netplan -p wxa -k netplanconf
-w /etc/ -p wa -k etcfiles

Rule definitions:

-w: watches a file or directory
-p: permission flags
w: write
x: execute
a: attribute changes (ownership, permissions)
-k: key used to search audit logs

Note

The rule -w /etc/ -p wa -k etcfiles audits file creation, modification, deletion, and attribute changes across /etc.

2. Reload Audit Rules

Apply the new rules by restarting auditd:

sudo systemctl restart auditd

3. Audit Execution of Privileged Commands

Open or create a dedicated audit rules file:

sudo vi /etc/audit/rules.d/priv-cmds.rules

Add auditing for key privileged binaries (verify paths with <cmd>):

-w /usr/bin/sudo -p x -k privexec
-w /bin/su -p x -k privexec
-w /bin/chown -p x -k privexec
-w /bin/chmod -p x -k privexec
-w /usr/bin/vi -p x -k privexec
-w /usr/bin/rm -p x -k privexec
-w /usr/bin/cp -p x -k privexec
-w /usr/bin/nano -p x -k privexec
-w /usr/bin/mv -p x -k privexec
-w /usr/bin/mkdir -p x -k privexec
-w /usr/bin/touch -p x -k privexec
-w /usr/bin/service -p x -k privexec
-w /usr/bin/systemctl -p x -k privexec
-w /usr/bin/netplan -p x -k privexec
-w /usr/bin/kill -p x -k privexec
-w /usr/bin/curl -p x -k privexec
-w /usr/bin/wget -p x -k privexec
-w /usr/bin/cat -p x -k privexec
-w /usr/bin/tar -p x -k privexec
-w /usr/bin/iptables -p x -k privexec
-w /usr/bin/ufw -p x -k privexec
-w /usr/bin/useradd -p x -k privexec
-w /usr/bin/passwd -p x -k privexec
-w /usr/bin/dpkg -p x -k privexec
-w /usr/bin/apt -p x -k privexec

-p x: audit command execution (exec)
-k privexec: use this key to easily search for all executions of these privileged commands

4. Reload the Audit Rules Again

To ensure all changes take effect:

sudo systemctl restart auditd

5. Review Audit Logs

To search for audited events by key:

sudo ausearch -k rancherlogs
sudo ausearch -k rancherk3sconf
sudo ausearch -k netplanconf
sudo ausearch -k etcfiles
sudo ausearch -k privexec

Add log rotation to the configuration:

vi /etc/logrotate.d/audit

Configuration:

/var/log/audit/audit.log {
    daily
    rotate 10       # Like --audit-log-maxbackup=10
    maxage 30       # Like --audit-log-maxage=30
    size 10M        # Like --audit-log-maxsize=100
    missingok
    notifempty
    compress
    delaycompress
    postrotate
    /etc/init.d/auditd reload > /dev/null 2>&1 || true
    endscript
}