How to use Auditing System in Linux – Configure, Audit Logs and Generate Reports

Updated on September 2, 2017

Before we start discussing about the Auditing system, I would like to ask few questions. How do you monitor the commands executed by the user? How do you monitor whether a file or a directory was accessed? How do you record various security related events? How do you monitor system calls, network access etc…and finally how do you generate a report out of it? Well, the Linux Auditing system is the answer for all the above questions.

The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report – which can be later analyzed and investigated for suspicious activity. Starting from version 2.6, Linux kernel comes with auditd daemon and when started, it reads the pre-configured rules from /etc/audit/audit.rules. The administrator can use auditctl command to control the audit system, create rules etc… The other two important commands are:

  • ausearch – command that allows you to query the audit logs based on the given criteria.
  • aureport – command used to generate reports.

Audit configuration files are located at /etc/audit and logs at /var/log/audit.

  • /etc/audit/audit.rules – file where the permanent rules are created and loaded when auditd daemon is started.
  • /etc/audit/audit.conf – audit configuration file
  • /etc/audit/rules.d/ – folder that contain custom rule files.

audit command examples

Below are the list of information that audit will record:

  • Time stamp, type and outcome of the event
  • UID, GID that triggered the event
  • Sensitivity labels of subject and object
  • Access to all authentication system such as SSH, Kerberos etc…
  • File integrity checks
  • Import and export of information.
  • Include or exclude events based on the user identity, subject and other attributes.
  • Attempts to change audit configuration files and logs.

How to configure auditd in CentOS and Ubuntu?

On CentOS:

# yum install audit

On Ubuntu:

# apt-get install auditd
Setting up auditd (1:2.4.5-1ubuntu2) ...
update-rc.d: warning: start and stop actions are no longer supported; falling ba ck to defaults
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for systemd (229-4ubuntu6) ...
Processing triggers for ureadahead (0.100.0-19) ...

Once the package is installed, the auditd daemon will be started automatically. If not, you can start it using the below commands:

# /etc/init.d/auditd start

List the active audit rules:

# auditctl -l
 No rules

How to create audit rules?

Let us create a rule to monitor the file /etc/passwd

# auditctl -w /etc/passwd -p war -k audit-passwd

The above command creates a watch on file /etc/passwd.

  • w /etc/passwd – creates a watch for the file /etc/passwd
  • -p war – sets permission filter – w for write, r for read, a for attribute change and e for execute.
  • k audit-passwd – here audit-passwd is a key to identify the rule uniquely from the logs.

Basically, the above command tracks /etc/passwd for anyone who attempts to write, read or change attributes of the file.

Now the rule is created, let us login as an unprivileged user and try accessing /etc/passwd file.

$ grep "someinformation" /etc/passwd
$ vim /etc/passwd

The above two commands were performed by a local user called ‘ubuntu’ and those events are expected to be logged in /var/log/audit/audit.log file.

How to find who changed or accessed /etc/passwd?

We will use ausearch command:

# ausearch -f /etc/passwd -i
type=PROCTITLE msg=audit(08/05/2016 11:56:10.088:72) : proctitle=grep --color=auto henry /etc/passwd
 type=PATH msg=audit(08/05/2016 11:56:10.088:72) : item=0 name=/etc/passwd inode=56913 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL
 type=CWD msg=audit(08/05/2016 11:56:10.088:72) : cwd=/home/ubuntu
 type=SYSCALL msg=audit(08/05/2016 11:56:10.088:72) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x7ffebf6cb887 a2=O_RDONLY|O_NOCT
 TY a3=0x0 items=1 ppid=14098 pid=14992 auid=ubuntu uid=ubuntu gid=ubuntu euid=ubuntu suid=ubuntu fsuid=ubuntu egid=ubuntu sgid=ubuntu fsgid=ubuntu tty=pts0 s
 es=1302 comm=grep exe=/bin/grep key=audit-passwd
 type=PROCTITLE msg=audit(08/05/2016 11:56:12.028:74) : proctitle=vim /etc/passwd
 type=PATH msg=audit(08/05/2016 11:56:12.028:74) : item=0 name=/etc/passwd inode=56913 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL
 type=CWD msg=audit(08/05/2016 11:56:12.028:74) : cwd=/home/ubuntu
 type=SYSCALL msg=audit(08/05/2016 11:56:12.028:74) : arch=x86_64 syscall=open success=yes exit=3 a0=0x556072132500 a1=O_RDONLY a2=0x0 a3=0x556072347f50 items
 =1 ppid=14098 pid=14993 auid=ubuntu uid=ubuntu gid=ubuntu euid=ubuntu suid=ubuntu fsuid=ubuntu egid=ubuntu sgid=ubuntu fsgid=ubuntu tty=pts0 ses=1302 comm=vi
 m exe=/usr/bin/vim.basic key=audit-passwd

The above log output indicates that the user called ubuntu had accessed the file /etc/passwd using commands grep and vim. By default, the log output will use UID and GID, but the option ‘-i‘ will map the uid and gid to the corresponding names (human readable user name and group name).

How to create a watch to monitor changes by a particular user?

#auditctl -w /usr/local/test -p wa -F uid=1001 -k audit-temp

Search the log for events:

#ausearch -ua 1001 -i

The above command will list all the events triggered by the user id 1001.

Creating permanent rules

Note: The rules created using auditctl command are temporary and they will be active until the auditd daemon is restarted. The below commands explains this scenario.

# auditctl -l
 -w /etc/passwd -p rwa -k audit-passwd
 -a always,exit -S all -F dir=/etc -F perm=wa -F uid=1001 -F key=audit-temp
 -a always,exit -S all -F dir=/usr/local/test -F perm=wa -F uid=1001 -F key=audit

The above command prints the list of active rules. Now let us try restarting auditd daemon.

# /etc/init.d/auditd restart
 [ ok ] Restarting auditd (via systemctl): auditd.service.

Check for the active rules again.

# auditctl -l
 No rules

Once the auditd daemon is restarted, all the rules that were created using auditctl command will be removed (because they were temporary). If you have been experimenting using auditctl command and want to create those rules permanently, then you can either edit /etc/audit/audit.rules file or create a new rule file under /etc/audit/rules.d/ folder.

# echo "-D" > /etc/audit/rules.d/new.rules
# auditctl -l >> /etc/audit/rules.d/new.rules

The first command adds delete rule action before adding the new set of rules.

How to generate audit report?

Summary report:

# aureport
Summary Report
Range of time in logs: 08/05/2016 11:45:39.464 - 08/08/2016 06:14:14.328
Selected time for report: 08/05/2016 11:45:39 - 08/08/2016 06:14:14.328
Number of changes in configuration: 7
Number of changes to accounts, groups, or roles: 5
Number of logins: 1
Number of failed logins: 6
Number of authentications: 8
Number of failed authentications: 6
Number of users: 3
Number of terminals: 8
Number of host names: 2
Number of executables: 37
Number of commands: 39
Number of files: 13
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 12
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 2
Number of process IDs: 214
Number of events: 1337

The above command will print the summary report of all recorded events.

Print a summary report of all failed login attempts

# aureport --login --summary -i
Login Summary Report
total auid
6 henry
1 ubuntu

Generate a summary report of executable file events:

# aureport -x --summary

Generate a report of all audit files that are queried and time range of events they include

# aureport -t
Log Time Range Report
/var/log/audit/audit.log: 08/05/2016 11:45:39.464 - 08/08/2016 06:17:01.068

Generate a report of all events recorded within date range:

# aureport --start 08/05/2016 00:00:00 --end 08/07/2016 00:00:00

Generate report from ausearch output

# ausearch -k audit-temp | aureport -f -i

How to delete all the audit rules?

# auditctl -D

Note: The above command will delete all the active rules in the running auditd daemon. However, the permanent rules in /etc/audit/audit.rules file will be loaded whenever the auditd is started.

Is that all auditd can do? Nopes! The Linux audit system is capable of doing more and what listed here is just a tiny part of this powerful system. Have a look at the man pages of auditd, auditctl, ausearch and aureport for more information.

Was this article helpful?

Related Articles

Leave a Comment