audit

 

Use Cases

 

Watching file access

Monitoring system calls

Recording commands run by a user

Monitoring network access
    The iptables and ebtables utilities can be configured to trigger Audit events

 


Summary Report

 

aureport

Summary Report
======================
Range of time in logs: 02/13/2017 17:30:15.545 - 09/19/2017 17:07:16.241
Selected time for report: 02/13/2017 17:30:15 - 09/19/2017 17:07:16.241
Number of changes in configuration: 1870
Number of changes to accounts, groups, or roles: 44
Number of logins: 43
Number of failed logins: 3
Number of authentications: 89
Number of failed authentications: 32
Number of users: 2
.........

 


Program

 

audisp — the Audit dispatcher daemon interacts with the Audit daemon and sends events to other applications for further processing. The purpose of this daemon is to provide a plug-in mechanism so that real-time analytical programs can interact with Audit events.

auditctl — the Audit control utility interacts with the kernel Audit component to manage rules and to control a number of settings and parameters of the event generation process.

 


Install

 

# Default installed by on Red Hat Enterprise Linux 7

yum install audit

# Rule File

/etc/audit/audit.rules

# Configure File

/etc/audit/auditd.conf

Service

systemctl enable auditd

service auditd start

# Rotates the log files in the /var/log/audit/ directory.

service auditd rotate

Stop auditd

service auditd stop; systemctl disable auditd

 


Configure

 

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW

# log

# Specifies the maximum size of a single Audit log file (Mbyte)
max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

# how many records can be sent to the disk before forcing a hard synchronization with the hard drive

flush = INCREMENTAL_ASYNC
freq = 50

More about configure

# specifies whether or not to include local events.
# "no" is when you want to aggregate events only from the network.

local_events = yes

# RAW: stored in a format exactly as the kernel sends it
# ENRICHED: will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.

log_format = RAW

# "ps axl | grep auditd" 會見到 -4

priority_boost=4

# Dispatcher

The dispatcher is a program that is started by the audit daemon when it starts up.
It will pass a copy of all audit events to that application's stdin.

There is a 128k buffer between the audit daemon and dispatcher.
lossy: incoming events going to the dispatcher are discarded when this queue is full.
(Events are still written to disk if log_format is not nolog.)
lossless: auditd daemon will wait for the queue to have an empty spot before logging to disk.

disp_qos = lossy
dispatcher = /sbin/audispd

 


auditctl

 

auditctl -s

enabled 1
failure 1
pid 582
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked

# List  all  rules

auditctl -l

No rules

# deletes all currently loaded Audit rules

auditctl -D

 

Defining File System Rules

auditctl -w path_to_file -p permissions -k key_name

    r — read access to a file or a directory.
    w — write access to a file or a directory.
    x — execute access to a file or a directory.
    a — change in the file's or directory's attribute.

i.e.

auditctl -w /etc/passwd -p wa -k passwd_changes

auditctl -w /root/login/ -p rwa -k Login_PW_File

-w path

Insert a watch for the file system object at path.

  * Wildcards are not supported

加入 rule 後, 會有 log

type=CONFIG_CHANGE msg=audit(1505813953.234:146): auid=0 ses=2 op=add_rule key="Login_PW_File" list=4 res=1

當有 access

type=SYSCALL msg=audit(1505814134.528:154): 
     arch=c000003e syscall=2 success=yes exit=3 a0=7ffe4e40234c a1=0 a2=1fffffffffff0000 a3=7ffe4e401520 
     items=1 ppid=1958 pid=2013 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="cat" exe="/usr/bin/cat" key="Login_PW_File"
type=CWD msg=audit(1505814134.528:154):  cwd="/root"
type=PATH msg=audit(1505814134.528:154): item=0 name="/root/login/seafile.txt" inode=1092069 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=PROCTITLE msg=audit(1505814134.528:154): proctitle=636174002F726F6F742F6C6F67696E2F73656166696C652E747874

Record Type

First Record

type=SYSCALL

this record was triggered by a system call to the kernel.

Second Record

type=CWD

This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed.

Third Record

type=PATH

PATH-type record for every path that is passed to the system call as an argument.

 

Defining Executable File Rules

auditctl  -a action,filter [ -F arch=cpu -S system_call] -F exe=path_to_executable_file -k key_name

-a list,action              # Append rule to the end of list with action

list:

task - Add a rule to the per task list. This rule list is used only at the time  a  task  is created

         when  fork()  or  clone() are called by the parent task.

exclude - Add  a  rule  to  the  event  type exclusion filter list.

              (This list is used to filter events that you do not want to see)

action:

  • always
  • never

-F field=value

additional options that further modify the rule to match events based on a specified architecture, group ID, process ID, and others.

-S system_call

A list of all system calls can be found in the /usr/include/asm/unistd_64.h

i.e.

auditctl -F exe=/bin/id -S execve -k execution_bin_id

 


augenrules
  

/etc/audit/rules.d/* --> audit.rules

The files in this directory are organized into groups with following meanings:

    10 - Kernel and auditctl configuration
    20 - Rules that could match general rules but you want a different match
    30 - Main rules
    40 - Optional rules
    50 - Server-specific rules
    70 - System local rules
    90 - Finalize (immutable)

Once you have the rules in the rules.d directory, you can load then by running

# test if rules have changed and need updating without overwriting audit.rules

augenrules --check

# load old or newly built rules into the kernel

augenrules --load

Preconfigured Rules Files

ls -1 /usr/share/doc/audit*/rules/

10-base-config.rules
10-no-audit.rules
11-loginuid.rules
12-cont-fail.rules
12-ignore-error.rules
20-dont-audit.rules
21-no32bit.rules
22-ignore-chrony.rules
30-nispom.rules
30-pci-dss-v31.rules
30-stig.rules
31-privileged.rules
32-power-abuse.rules
40-local.rules
41-containers.rules
42-injection.rules
43-module-load.rules
70-einval.rules
71-networking.rules
99-finalize.rules
README-rules