Monitoring file audit logging with rsyslog and SELinux

Files and directories within the file audit logging fileset can inherit Security-Enhanced Linux® (SELinux) security contexts from their parent directories.

When the security context is set on the audit log fileset, any newly created subdirectories and audit logs files inherit the security contexts from the parent directory. This allows rsyslog to read the file audit logs when SELinux is enabled. This rsyslog mechanism can then be used by IBM® Security QRadar® to ingest file audit logs.

The steps in the procedure assume that your filesystem is fs0 and your file audit logging fileset is named and linked as the.audit_log directory within /ibm/fs0.

Note:
  • The filesystem name and audit log fileset can be different from the ones that are mentioned in the steps. You can change them based on their settings.
  • You can find the name of your audit log fileset by issuing the mmaudit <fsName> list command and looking at the Audit Fileset Name column.
  • SeLinux must be enabled. For more information, see Security-Enhanced Linux support .

Follow the steps to set the security context on all existing files and folders:

  1. Define a rule in /etc/selinux/targeted/contexts/files/file_contexts.local file by issuing the following command: 
    semanage fcontext -a -t var_log_t "/ibm/fs0/.audit_log(/.*)?"
    Note: The semanage command is available in the policycoreutils-python-utils rpm.
  2. Set the security context of the existing files and folders that matches the rule from the above step by issuing the following command: 
    restorecon -Rv /ibm/fs0/.audit_log
  3. List the security context of the audit log fileset to verify whether it is set correctly by issuing the following command: 
    ls -laZ /ibm/fs0
    where the output might look like this:
    drwx------. root root system_u:object_r:var_log_t:s0 .audit_log