From 5a24fe3e5ada230a57d4b4b7985f6038b3b695b6 Mon Sep 17 00:00:00 2001
From: Marko Stojanovic <stojanovic1994@yahoo.com>
Date: Mon, 26 Feb 2024 16:34:40 +0100
Subject: [PATCH] Update documentation

---
 doc/TRUEConnector/prerequisite.md             |  4 ++--
 .../os-logs-configuration.md                  | 23 ++++++++++++++++++-
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md
index 767d526..032b3d6 100644
--- a/doc/TRUEConnector/prerequisite.md
+++ b/doc/TRUEConnector/prerequisite.md
@@ -10,9 +10,9 @@ To have secure and certification compliant environment, following prerequisites
 
 * The host OS should be audited and secure; OS should be as minimal as possible and it should be preferably used to host our Docker exclusively. There should not coexist other services like web servers or web applications so that attacker could not exploit it or lead to potential exploit (minimal threat attack surface).
 * Monitoring mechanism (Linux auditd service for example) should be installed and configured as prerequisite before deploying connector. This will capture if someone tries to make changes on property files used by the connector.
-* make sure to create rules to monitor folders and property files of the TRUE Connector (for example auditctl -w /xxxx/TRUEConnector/* -k trueconnector, depending on the location where TRUE Connector is deployed)
+* make sure to create rules to monitor folders and property files of the TRUE Connector, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration)
 * Make sure to create rules for monitoring docker service (dockerd, /run/containerc, /var/lib/docker, /etc/docker, docker.service...) This might differ based on OS distribution
-* Rules for auditing should be persisted (/etc/audit/audit.d/rules/audit.rules file, depending on the OS distribution, location might differ)
+* Rules for auditing should be persisted, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration)
 * Make sure to create rules for mounted docker volumes (to be able to keep track of changes made over files present in those volumes)
 * Make sure to create scripts to monitor storage capacity in order to notify when the OS system is reaching storage assigned capacity. Also use CroneTab to repeat those scripts at desired time interval. One example of how to write script and set CronTab to automate it can be found [here](https://tecadmin.net/shell-script-to-check-disk-space-and-send-alert/)
 * User responsible for setting up environment where connector will run should isolate or disable other services. 
diff --git a/doc/advancedConfiguration/os-logs-configuration.md b/doc/advancedConfiguration/os-logs-configuration.md
index ac9407c..4a4223f 100644
--- a/doc/advancedConfiguration/os-logs-configuration.md
+++ b/doc/advancedConfiguration/os-logs-configuration.md
@@ -1,6 +1,6 @@
-
 # OS Log Access Configuration Guide
 
+The purpose of this guide is to provide instructions for configuring access to system logs on a Linux machine. Access to system logs is crucial for monitoring system activities, troubleshooting issues, and ensuring system security on which TRUE Connector is running. The guide is intended for Administrators who are setting up TRUE Connector and managing and monitoring Linux systems. It assumes a basic understanding of Linux file system structure and permissions.
 
 ### Prerequisites
 - Root or sudo privileges on the Linux system.
@@ -32,3 +32,24 @@
 
 5. **Review and Confirm**
    - Ensure the user can read the necessary logs without issues.
+
+### Additional Monitoring Configuration <a name="additional-monitoring-configuration"></a>
+
+In addition to configuring access to system logs, it's important to establish rules for monitoring folders and property files associated with the TRUE Connector. This ensures comprehensive monitoring of relevant system activities. Follow these steps to set up monitoring rules:
+
+- **Create Monitoring Rules with auditctl**: `auditctl` is a command-line utility that allows you to interact with the Linux audit framework, enabling you to define rules for monitoring system activities. When setting up monitoring for the TRUE Connector, you can use `auditctl` to create specific rules that define which files or directories to monitor and what actions to audit.
+
+  For example, you can use the following command to create a rule for monitoring all files within the TRUE Connector directory: `auditctl -w /path/to/TRUEConnector/* -k trueconnector`
+  
+  
+  In this command:
+	- `-w /path/to/TRUEConnector/*` specifies the path to the TRUE Connector directory and the asterisk (`*`) wildcard to monitor all files within it.
+	- `-k trueconnector` assigns a unique key (`trueconnector`) to the rule for easier identification in audit logs.
+
+***NOTE:*** Make sure to replace `/path/to/TRUEConnector/` with the actual location where the TRUE Connector is deployed.
+
+- **Persist Rules**: It's crucial to persist the auditing rules so that they are applied upon system restarts. Depending on the distribution of your operating system, you may need to add these rules to the `/etc/audit/audit.rules` file. Be mindful that the location may differ based on the OS distribution. Ensure these rules are correctly placed for effective monitoring.
+
+By using `auditctl` to set up monitoring rules, you gain visibility into system activities related to the TRUE Connector, enabling proactive detection of any suspicious or unauthorized actions.
+  
+