How to Enable Microsoft 365 Unified Audit Log

  The Unified Audit Log, as the name implies, is a log file in which different activities performed in and through Microsoft 365 are recorded. 

Including the entire list would take up too much space. Still, information within the log includes amongst other things: user and admin activity in Exchange Online, SharePoint Online, OneDrive for Business, Power BI, Microsoft Teams, Stream, Power Apps, etc.

The log contains a lot of useful information that you can use for various activities related to your security operations. It can be used to:

1. To monitor user behaviour and detect suspicious activities
2. Perform forensic investigations into actions related to an incident
3. Monitor specific use cases in your environment through various platforms like Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Azure Monitor, and Microsoft Sentinel.

To enable it through the Microsoft Security Center, navigate to Audit. If the log search is off, then this option should be present. Turning it on is as easy as clicking Turn on auditing.

Alternatively, connect to Exchange Online PowerShell and run the following script. It checks whether the log is already enabled. If it isn’t, it will do so.

if((Get-AdminAuditLogConfig).UnifiedAuditLogIngestionEnabled -ne "True"){

Write-Host "Enabling the Unified Audit Log."

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True }else{

Write-Host "The Unified Audit Log was already enabled."

}

Manage containers in Linux(Part-10)

In Part 9 of the Learning Linux blog series, we learned how to manage the basics of Linux Security systems.

In the final part 10, We will construct basic commands, and understand containers using Podman, and docker in the Linux Operating System.

• Manage and configure containers
• docker search nginx(Search images on docker.io repository), 
• docker pull nginx:1.20.2(Pull the image locally), 
• docker rmi nginx:1.20.2(remove image), docker images (see the list of images), 
• docker run -d  -p 8080:80 --name newwebserver nginx (create a container name newwebserver on port mapping 8080 on host and 80 on container with detached mode),
• docker ps --all (list all running or non-running containers) or docker container list, docker stop container name/id(Stop container), 
• nc localhost 8080(To confirm if container is accessible on host port), 

• Perform container management using commands such as podman and skopeo
• Installing skopeo: yum install skopeo
• Inspect repositories: skopeo inspect docker://registry.fedoraproject.org/fedora:latest
• Copying images: skopeo copy docker://quay.io/buildah/stable docker://registry.kodekloud.com/buidah, skopeo copy oci:busybox_ocilayout:latest dir:myemptydirectory
• Deleting Image: skopeo delete docker://localhost:5000/imagename:latest(delete image)
• Syncing registries: skopeo sync --src docker --dest dir registry.kodekloud.com/busybox /media/usb  
• man skopeo(Manual page)
• Configure a container to start automatically as a systemd service and attach persistent storage 

1. mkdir -p ~/.config/systemd/user (Create dir structure to hold the folder for service unit files),
2. podman run -d --name container_service -p 1025:8080 -v ~/container_storage:/var/www/html:Z registry.access.redhat.com/rhscl/httpd-24-rhel7 (Attaching a local folder to container), 
3. podman generate systemd --name container_service --files --new (Generating systemd service unit files for container), 
4. loginctl enable-linger <username>(To allow local user to run a service with systems), 
5. export XDG_RUNTIME_DIR=/run/user/$(id -u) 
6. systemctl --user daemon-reload, 
7. systemctl --user  enable --now container-container_service.service (To allow container to run on boot),

Manage Security in Linux(Part-9)

   In Part 8 of the Learning Linux blog series, we learned how to configure and manage users and groups in Linux systems.

In part 9, We will construct basic commands, and understand security in the Linux Operating System.

• Configure key-based authentication for SSH
• ssh-keygen (This process will generate private and public keys(id_rsa, id_rsa.pub)
• ssh-copy-id aaron@10.11.12.9 (This will copy the public key on the target ip under .ssh/authotized_keys files, or you can manually login to target server and add the public key on .ssh/authorized_keys file)
• SSH Server Conf file - /etc/ssh/sshd_config, SSH Client Conf File - /etc/ssh/ssh_conf, Custom ssh client Conf file dir path - /etc/ssh/ssh_config.d/
• List and Identify the SELinux file and process contexts
• getenforce (To view the SE Linux mode), 
• ls -Z (see the file/folder se context), unconfined_u:object_r:user_home_t:s0(user:role:type:level), 
• id -Z (TO see the current user logged with se context view), 
• sudo semanage login -l (To view the user' se context)
• sudo semanage user -l (To view the se roles assigned to each user ids),
• Change kernel runtime parameters, persistent and non-persistent
• sudo sysctl -a (List kernel runtime parameters), 
• sudo sysctl -w 'paramter=1/0' (non-persistence change),
• sudo vi /etc/sysctl.d/swap-less.conf (Persistence change at this conf folder location), 
• sudo sysctl -p 'conf. file path' (This will apply the changes without reboot), 
• sudo chcon -t httpd_sys_content_t /var/index.html (Set se linux contex)
• Restore default file contexts
• enforcing=0 (GRUB Paramter to boot Linux into Permissive mode), 
• selinux=0 (Kernel will not do anything related to SE Linux and post-reboot it will perform autorelabel. Setting this parameter in GRUB Conf. will cause it to perform autorelebel=1 for all files), 
• autorelebel=1 (relabel all files)
• Diagnose and troubleshoot SE Linux Policy Violation:
• Scenario1: Httpd process stoped post changing listining port,
• ausearch -c 'httpd' --raw | audit2allow -M m-httpd (Create Policy set),
• semodule -i my-httpd.pp (enforce this policy)
• Scenario2: Chaning the root httpd file path
• grep 'httpd' /var/log/messages | less (search se linux related error message), 
• semanage fcontext -a -t httpd_sys_content_t "/Directoty(/.*)?" (Change the files SE context type to service httpd se account type)
• restorecon -R /Directory/ (To restore the new contexts for directory)

#> echo "Thank you :)"

Manage Users and Groups(Part-8)

  In Part-7 of the Learning Linux blog series, we learned how to configure and manage basic networking in Linux Systems.

In part 8, We will construct basic commands to manage users and groups in the Linux Operating System.

• Create, delete, and modify local user accounts
• Create UserId: 
• sudo useradd john (create a new user john with primary group as same john and assign home directory path, /bin/bash shell environment), 
• sudo passwd john(set new password), 
• sudo userdel john(delete user john without removing home/malspool, --remove should be used if you want to remove home dir), 
• sudo useradd --shell /bin/othershell --home-dir /home/otherdir john, 
• sudo useradd -s /bin/othershell john(just changing the default shell), 
• sudo useradd --system systemacc(Add service/system account)
• Local user accounts: 
• cat /etc/passwd(this file store the userid details), 
• sudo id (list the users who are signed-in), 
• whoami(To see your current login userid detail), 
• Modify users: 
• sudo usermod --home /home/otherdir --move-home john (Modify the home dir),
• sudo usermod --login jane john(Change username),
• sudo usermod --shell /bin/othershell jane(change the default shell), 
• sudo usermod -lock jane(lock/disable the account without deleting it), 
• sudo usermod -unlock jane(unlock the account), 
• sudo usermod --expiredate 2021-12-10(Set expire date for account), 
• sudo chage --lastday 0 jane(set account's password to expire immediately or put -1 to un-expire it, --maxdays for set password expire days, -1 value means neverexpire),
• sudo chage --list(To see the accounts expiration), 
• Delete User/grp: 
• sudo userdel -r jane, sudo groupdel john
• Create, delete, and modify local groups and group memberships
• Local group and membership: 
• sudo gpasswd --add john developers(add john on developers group as secondary/supplementary), 
• groups john(list the group membership for user john), 
• sudo gpasswd --delete john developers(remove user from group), 
• sudo usermod -gid developers john(Change the primary group for user john to developers),  
• Modify group: 
• sudo groupmod --new-name programmers developers(rename group),  
• sudo groupdel programmers(Delete Group), 
• Manage access to the root account
• sudo --login or sudo -i(loging as root user if you're a sudo user), 
• su --login or su -l(If you know the root password and does not member pf sudo), 
• sudo passwd --unlock root(unlock the root account if it was locke, --lock to lock it again but ssh key login will still work),
• Configure PAM(Pluggable Authentication Module)
• man pam(list the pam modules and their help documentation), man pam.conf(To see the pam configuration help doc),
• ls /etc/pam.d/ (list the pam related conf files), 

Note: Use the Linux manual using "man <command)" or "command --help" to access the command documentation for more detail. 

#> echo "Thank you :)"

Manage Basic Networking(Part-7)

 In Part-6 of the Learning Linux blog series, we learned how to configure and maintain Linux Systems.

In part 7, We will understand and manage the basic networking features.

- Configure networking and hostname resolution statically or dynamically

ip link show (Show the list of IP Interfaces), 

IP address show (Show the IP addresses)

        ip route show (Shows the routing table), 

cat /etc/resolve.conf (show the DNS server IP Address)

NetworkManager: NetworkManager is a daemon that sits on top of libudev and other Linux kernel interfaces and provides a high-level interface for the configuration of the network interfaces.

        Configure Network Interface:

        sudo nmtui (Step1 - Launch GUI version of NM, Modify the IP as you like), 

sudo nmcli device reapply ensps03(Step2 - enforce the changes forcefully),  

          sudo vi /etc/sysconfig/network-scripts/adaptername (Use this for CentOS 7 and earlier)

Host resolution: Host file

Sudo vi /etc/hosts (Use this file for manually putting host entry for hostname resolution locally)

- Configure network services to start automatically at boot

sudo systemctl status NetworkManager.service(Confirm if the NM Service is already installed)

Starting Network service at the boot time: 

sudo nmcli connection modify ens0ps3 autoconnect yes (Set to start network adapter at boot time), 

- Start, stop, and check the status of network services

ss and netstat: ss or netstat is used to dump socket statistics. ss is faster and provides more detailed information, making it the preferred choice for network analysis and troubleshooting in Linux. However, netstat is more widely available and provides a more comprehensive output. In conclusion, both ss and netstat are valuable tools for network analysis and troubleshooting.

        

sudo ss -ltunp 

- Implement packet filtering

firewall-cmd --get-default-zone (show the default zones details)

firewall-cmd --list-all (list all ports or service details), 

sudo firewall-cmd --info-service=cockpit (show the port for allowed service),  

sudo firewall-cmd --remove-service=http (remove service), 

sudo firewall-cmd --remove-port=80/tcp (remove port), 

sudo firewall-cmd --add-source/--remove-source=10.11.12.0/24 --zone=trusted (Add or remove source network in trusted zone), 

sudo firewall-cmd --get-active-zones (list all active zones)

Make the firewall changes permanent:

1st: sudo firewall-cmd --add-port=80/http (Allow port 80 on dynamic for current session), 

sudo firewall-cmd --runetime-to-permanent (save the conf changes permanently),

2nd:  sudo firewall-cmd --add-port=80/http --permanent (does not make active for the current session but makes permanent)

- Statically route IP traffic

sudo ip route add 192.168.0.0/24 vi 10.0.0.100 (adding route to move traffic for target network via gw),  

        sudo ip route add 192.168.0.0/24 vi 10.0.0.100 dev enp0s3 (adding route to move traffic for target network via gw using device enp0s3),  

sudo ip route del 192.168.0.0/24(delete route), 

sudo ip route add default via 10.0.0.100 (set gw for all traffic), 

Add route permanently using Network Manager:

nmcli connection show(show the nm device interface), 

        sudo nmcli connection modify enp0s3 +ipv4.routes "192.168.0.0/24 10.0.0.100" ( Add the route - step1)

sudo nmcli device reapply enp0s3 (apply the settings - step2)

sudo ip route show (Confirm the change in the routing table)

Remove ip route: 

        sudo nmcli connection modify enp0s3 -ipv4.routes "192.168.0.0/24 10.0.0.100",  (step1)

sudo nmcli device reapply enp0s3 (then re-apply the settings)

GUI Method: sudo nmtui, 

sudo nmcli device reapply enp0s3(then re-apply the settings)

- Configure time service clients

chrony daemon (Daemon for sync clock), timedatact, 

Setup the time & zone: 

sudo timedatectl list-timezones (show all zones),  

sudo timedatactl set-timezone America/New_York ( Set time zone to America/New_York)

• Configure chronyd service: 

sudo yum install chrony, (Step1 - Intall chrony daemon if not present)

sudo systemctl start chronyd.service, (Step2 - Start the Chrony Daemon) 

sudo timedatactl set-ntp true (Enable the NTP)

Note: Use the Linux manual using "man <command)" or "command --help" to access the command documentation for more detail. 

#> echo "Thank you :)"

Deploy, Configure, and Maintain Systems(Part-6)

 In Part 5 of the Learning Linux blog series, we learned how to create and configure Linux file systems like ext4, vfat, xfs, etc. 

In part 6, We will learn and try to understand and construct the required commands to Configure, Manage and maintain the Linux systems. 

- Schedule tasks to run at a set date and time

    Cron Utility: For scheduling repetitive jobs that run every minute, hour, day, etc.

    Scheduling job with cron: Always advise not to put the cron job at the global cron table instead try user-level cron jobs(command - crontab -e)

    # Example of job definition:

# .---------------- minute (0 - 59)

# |  .------------- hour (0 - 23)

# |  |  .---------- day of month (1 - 31)

# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr

# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# |  |  |  |  |

# *  *  *  *  * user-name  command to be executed

        crontab -l(list the cronjobs for logged-in user), 

        sudo crontab -e -u aaron(modify crontab for aaron user), 

        sudo crontab -r(remove crontab), 

        By placing the script file(without an extension like .sh) in the below directories:

        cron.daily/

cron.hourly/

cron.monthly/

cron.weekly/

    Scheduling job with anacron: Small unit anacron work with is day so it can run tasks for every days, weeks, months, etc. Cron can miss the job if system is offline but anacron can resume post power-on of the system.

        sudo vim /etc/anacrontab, 

anacron -T (test the anacron file), 

sudo anacron -n -f(force anacron to re-run the jobs again)

    Scheduling job with at: For onetime task.

at 15:00 --> return --> type command --> ctrl + d , 

atq(list the jobs), 

at -c <job id> (view the job detail including the command),

atrm <job id>(remove job), 

Example: 

at 'august 20 2022', 

at '2:30 august 20 2022', 

at 'now + 30 minutes', 

at 'now + 3 hours/days/weeks/months'

- Verify completion of scheduled jobs

    cat /var/log/cron(read the cron log), 

    sudo anacron -n(run the schedule job for today now), 

    sudo grep 'anacron' /var/log/cron(search for anacron in the cron log, you may also search for job name), 

    sudo grep atd /var/log/cron 

    Job command | systemd-cat --identifier=job1 (Record the logs about job in journalcrl), journalctl  | grep 'job1'( look for logs in journalctl for job1), 

- Manage the startup process and services

    Startup processes and services: systemctl cat sshd.service(looking at sshd service unit file), 

    sudo systemctl is-enabled sshd.service(Check the enablement status of service), 

    sudo systemctl enable/disable --now sshd.service(enable and start the service, disable and stop service), 

    sudo systemctl mask atd.service(This command will disable the service and other user/process/service cannot start the service), sudo systemcltl unmask atd.service(disable the masking), 

    sudo systemctl list-units --type service --all (List all service units), 

- Install and update software packages from Red Hat Network, a remote repository, or from the local file system

   Subscription Manager: rhel activating and attaching subscription.

    sudo subscription-manager register --username your-rh-developer-username 

   Repositories: Repository can be local or hosted in internet for all the packages

    sudo yum repolist (show the repository list), 

    sudo yum repolist -v (show the repo with urls, folder, etc), 

    sudo yum repolist all(list all repos optional or disabled ones), 

    sudo subscription-manager repos --enable/disable repo id or sudo yum-config-manager --enable/disable repo id, 

    Add Repos: sudo yum-config-manager --add-repo repo id

     Add repo by adding repo files: 

sudo vi /etc/yum.repos.d/docker-ce.repo 

<

[short name]

name=My repo full name name with desc

baseurl=http://server1.example.com/stable

enabled=1

>

    Managing Package with Yum: 

sudo yum seach 'short desc',  

sudo yum info package name(for more detail about the package), 

sudo yum install httpd, sudo yum reinstall httpd(Reinstall),

 sudo yum remove httpd(remove packages).

Package Groups: 

sudo yum group list(show the package groups), 

sudo yum group install 'Server with GUI', 

sudo yum group remove 'Server with GUI'

Install RPM file: sudo yum install ./package.rpm(install app using yum with rpm package), 

Updating and upgrading with yum: sudo yum check-upgrade, sudo yum update

Work with package module streams:

sudo yum module list, (list all modules)

sudo yum module list nodejs (list nodejs module)

sudo yum module install nodejs:14/development, (Installing nodejs version 14 with development profile)

sudo yum module list --installed nodejs, 

--> echo "Thank you :)"

Learning Linux - Create and Configure File Systems(Part-5)

 In Part 4 of the Learning Linux blog series, we learned how to configure local storage on Linux systems. 

In part 5, We will learn and try to construct daily usage commands to create and configure Linux file systems.

- Create and configure file systems

    mkfs.xfs -L "BackupVolume" /dev/sdb (format disk with xfs file syetem with label)

    mkfs.xfs -i size 500 -L "BackupVolume" /dev/sdb (format disk with xfs file syetem with label and 500 Bypes inode size)

    mkfs.ext4 -L "BackupVolume" -N 500000 /dev/sdb2 (Format disk with ext4 fs with Label and 500K inode numbers)

    xfs_admin (Manage and Monitor xfs filesystem), tune2fs(Manage ext4 filesystem)

- Create, mount, unmount, and use vfat file systems

    vfat (virtual file allocation table)

        sudo fdisk /dev/vdb     t for type; b for w95 FAT32

        sudo mkfs.vfat /dev/vdb1 (Up to 2GB in size)

        sudo mkfs.vfat -F 32 /dev/vdb1  (2 GB and larger)

- Configure systems to mount file systems at or during boot

    sudo mkdir /mybackupvol (create the folder where you want to mount your new volume)

    sudo vi /etc/fstab -----> /dev/vdb1   /mybackupvol       xfs    defaults 0 0 (1st- Device path, 2- mount point, 3- filesystem, 4-(defaults mount option, It can be customize), 5- 0 =fs dump disabled, 6- 1 = root fs, 2 = other fs apart from root), 

    man fstab(for more help)

    sudo systemctl reboot

    sudo blkid  /dev/sda1 (To check the disk sda1's UUID value)

- Configure disk compression(RHEL8 and earlier python based)

    Enabling vdo(virtual data optimizer)

        sudo yum install vdo -y, sudo systemctl start vdo.service

    Using vdo with storage devices

        sudo vdo --create --name=vdo_storage --device=/dev/vdb --vdoLogicalSize=10G (Create vdo storage from physical disk)

        sudo vdostats --human-readable (Check the vdo devices status)

        sudo mkfs.xfs -K /dev/mapper/vdo_storage (Format the vdo device using xfs file system)

    Mounting vdo devices

        Fstab file example: /dev/mapper/vdo_storage /mnt/myvdo xfs _netdev,x-systemd,device-timout=0,x-systemd.requires=vdo.service 0 0 

    RHEL9: lvmvdo: vdo tool has been merged into lvm

        1. Create physical volume: sudo pvcreate /dev/vdb 

2. Create volume group: sudo vgcreate vdo_volume /dev/vdb 

3. Creating lv using vdo enabled: sudo lvcreate --type vdo -n vdo_storage -L 100%FREE -V 10G vdo_volume/vdo_pool1 

4. Create xfs filesystem: sudo mkfs.xfs -L /dev/vdo_volume/vdo_storage

    Create ext4 filesystem: sudo mkfs.ext4 -E nodiscard /dev/vdo_volume/vdo_storage

- Manage layered storage

    Stratis: It's a local storage management tool for Linux 

        Enabling Stratis: sudo yum install stratisd stratis-cli

Creating Stratis Storage Pool: sudo stratis pool create my-pool /dev/vdc  /dev/vdd, sudo stratis pool list (list pools), sudo stratis blockdev(list block devices)

Creating a stratis filesystem: sudo stratis fs create my-pool myfs1, sudo stratis fs(list fs), 

Mounting Stratis filesystem: FSTAB Example: /dev/stratis/my-pool/myfs1 /mnt/mystratis xfs x-systemd-requires=stratisd.service 0 0 

Adding storage device to the Stratis  pool: sudo stratis pool add-date my-pool /dev/vde 

File system snapshot with stratis: sudo stratis fs snapshot my-pool myfs1 myfs1-snapshot 

Mount snapshot:  sudo stratis fs rename developers devfs devfs-bad,  sudo stratis fs rename developers devfs-snapshot devfs, sudo umount /mnt/devstorage, sudo mount /mnt/devstorage

    Taking backup of filesystem:

        sudo stratis fs snapshot my-pool myfs1 myfs1-snapshot (Creating snapshot of stratis fs)

sudo stratis fs rename my-pool myfs1 myfs1-old (Rename current fs)

sudo stratis fs rename my-pool myfs1-snapshot myfs1 (Next, Rename the snapshot fs to previous fs name)

        sudo umount and mount again

-> echo "Thank you :)"