From 5c6c2a938218fb0c59b14122499a7ac1f39c8a7d Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Mon, 26 Feb 2024 16:47:08 +0100 Subject: [PATCH] Update documentation --- doc/TRUEConnector/prerequisite.md | 4 ++-- doc/advancedConfiguration/os-logs-configuration.md | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md index 032b3d6..c47a10f 100644 --- a/doc/TRUEConnector/prerequisite.md +++ b/doc/TRUEConnector/prerequisite.md @@ -10,9 +10,9 @@ To have secure and certification compliant environment, following prerequisites * The host OS should be audited and secure; OS should be as minimal as possible and it should be preferably used to host our Docker exclusively. There should not coexist other services like web servers or web applications so that attacker could not exploit it or lead to potential exploit (minimal threat attack surface). * Monitoring mechanism (Linux auditd service for example) should be installed and configured as prerequisite before deploying connector. This will capture if someone tries to make changes on property files used by the connector. -* make sure to create rules to monitor folders and property files of the TRUE Connector, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration) +* Make sure to create OS rules to monitor folders and property files of the TRUE Connector, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration) * Make sure to create rules for monitoring docker service (dockerd, /run/containerc, /var/lib/docker, /etc/docker, docker.service...) This might differ based on OS distribution -* Rules for auditing should be persisted, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration) +* Rules for OS auditing should be persisted, more information available [here](../advancedConfiguration/os-logs-configuration.md#additional-monitoring-configuration) * Make sure to create rules for mounted docker volumes (to be able to keep track of changes made over files present in those volumes) * Make sure to create scripts to monitor storage capacity in order to notify when the OS system is reaching storage assigned capacity. Also use CroneTab to repeat those scripts at desired time interval. One example of how to write script and set CronTab to automate it can be found [here](https://tecadmin.net/shell-script-to-check-disk-space-and-send-alert/) * User responsible for setting up environment where connector will run should isolate or disable other services. diff --git a/doc/advancedConfiguration/os-logs-configuration.md b/doc/advancedConfiguration/os-logs-configuration.md index 4a4223f..ae21a52 100644 --- a/doc/advancedConfiguration/os-logs-configuration.md +++ b/doc/advancedConfiguration/os-logs-configuration.md @@ -2,6 +2,7 @@ The purpose of this guide is to provide instructions for configuring access to system logs on a Linux machine. Access to system logs is crucial for monitoring system activities, troubleshooting issues, and ensuring system security on which TRUE Connector is running. The guide is intended for Administrators who are setting up TRUE Connector and managing and monitoring Linux systems. It assumes a basic understanding of Linux file system structure and permissions. +***NOTE*** OS logs should not be mistaken for TRUE Connector audit or trace logs. ### Prerequisites - Root or sudo privileges on the Linux system. - Basic understanding of Linux file system and permissions. @@ -37,7 +38,7 @@ The purpose of this guide is to provide instructions for configuring access to s In addition to configuring access to system logs, it's important to establish rules for monitoring folders and property files associated with the TRUE Connector. This ensures comprehensive monitoring of relevant system activities. Follow these steps to set up monitoring rules: -- **Create Monitoring Rules with auditctl**: `auditctl` is a command-line utility that allows you to interact with the Linux audit framework, enabling you to define rules for monitoring system activities. When setting up monitoring for the TRUE Connector, you can use `auditctl` to create specific rules that define which files or directories to monitor and what actions to audit. +- **Create Monitoring Rules with auditctl**: `auditctl` is a command-line utility that allows you to interact with the Linux audit framework, enabling you to define rules for monitoring system activities, for more details please refer to main page (https://manpages.ubuntu.com/manpages/xenial/en/man8/auditctl.8.html). When setting up monitoring for the TRUE Connector, you can use `auditctl` to create specific rules that define which files or directories to monitor and what actions to audit. For example, you can use the following command to create a rule for monitoring all files within the TRUE Connector directory: `auditctl -w /path/to/TRUEConnector/* -k trueconnector`