Audit policy
As part of a security concept for the integration of a device into a network, it should be specified which level of security audit is suitable for detecting potential attacks. Security audit means that an industrial PC creates audit logs of events as soon as an interaction with the device takes place. For example, file and folder accesses can be logged each time a user accesses the selected files or folders.
These logs are intended for review to detect deviations from normal use that could indicate an attack, or for forensic purposes to reconstruct details about an attack. The check can be carried out immediately or at regular intervals by automated mechanisms or manually. It depends on the environment and the application as to which deviations are relevant. Therefore, rules that describe which actions are logged are usually configured using audit policies.
However, configuring too many rules can lead to a kind of blindness. The logs can become overloaded with irrelevant entries, with the relevant entries easily overlooked by humans or not processed quickly enough by automatic monitoring mechanisms. Sometimes it is good practice to forward logs to a central location for automatic review and/or archiving, among other things to avoid exhausting limited log capacity.
File and folder accesses as well as user entries can be logged in TwinCAT/BSD. Each time a user performs a specific action, the event is logged. These event logs are especially important for monitoring the system, detecting unauthorized access, and for subsequent analysis after a security incident.
Have the audit daemon start automatically after each system start:
doas ee /etc/rc.conf
auditd_enable="YES"
Start the audit daemon for the current session:
doas service auditd start
In /etc/security you will find the configuration files of the audit daemon, which can be used to fine-tune the audit. Two files in particular are important here:
/etc/security/audit_control: General, system-wide audit settings.
In the default settings, the audit logs are stored in /var/audit, when 5% of the memory is used for audit files, a warning message appears and after 10 months the audit logs are removed.
With zroot/var/audit there is already a separate ZFS dataset for the audit logs. It is advisable to set a quota, i.e. a memory limit, for this dataset. Even in the standard audit configuration, large amounts of data can already be generated - even when taking into account the automatic deletion of the audit logs after 10 months. To limit the storage limit of this dataset and thus ensure free storage for the other, important datasets, the following command can be used to limit the storage space for audit logs to, for example, 2 GB:
doas zfs set quota=2G zroot/var/audit
Alternatively, or in addition to this measure, the time period until the audit logs are deleted can be shortened in /etc/security/audit_control.
doas ee /etc/security/audit_control
expire-after:10M expire-after:2M
/etc/security/audit_user: Audit settings for individual users
Here, separate audit rules can be defined for individual users. A detailed description of audit rules and a list of options for defining audit rules for users can be found in the FreeBSD Handbook: https://docs.freebsd.org/en/books/handbook/audit/