Before we start discussing about the Auditing system, I would like to ask few questions. How do you monitor the commands executed by the user? How do you monitor whether a file or a directory was accessed? How do you record various security related events? How do you monitor system calls, network access etc…and finally how do you generate a report out of it? Well, the Linux Auditing system is the answer for all the above questions.
The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report – which can be later analyzed and investigated for suspicious activity. Starting from version 2.6, Linux kernel comes with auditd daemon and when started, it reads the pre-configured rules from /etc/audit/audit.rules. The administrator can use auditctl command to control the audit system, create rules etc… The other two important commands are:
- ausearch – command that allows you to query the audit logs based on the given criteria.
- aureport – command used to generate reports.
Audit configuration files are located at /etc/audit and logs at /var/log/audit.
- /etc/audit/audit.rules – file where the permanent rules are created and loaded when auditd daemon is started.
- /etc/audit/audit.conf – audit configuration file
- /etc/audit/rules.d/ – folder that contain custom rule files.
Below are the list of information that audit will record:
- Time stamp, type and outcome of the event
- UID, GID that triggered the event
- Sensitivity labels of subject and object
- Access to all authentication system such as SSH, Kerberos etc…
- File integrity checks
- Import and export of information.
- Include or exclude events based on the user identity, subject and other attributes.
- Attempts to change audit configuration files and logs.
How to configure auditd in CentOS and Ubuntu?
# yum install audit
# apt-get install auditd :::::::::: Setting up auditd (1:2.4.5-1ubuntu2) ... update-rc.d: warning: start and stop actions are no longer supported; falling ba ck to defaults Processing triggers for libc-bin (2.23-0ubuntu3) ... Processing triggers for systemd (229-4ubuntu6) ... Processing triggers for ureadahead (0.100.0-19) ...
Once the package is installed, the auditd daemon will be started automatically. If not, you can start it using the below commands:
# /etc/init.d/auditd start
List the active audit rules:
# auditctl -l No rules
How to create audit rules?
Let us create a rule to monitor the file /etc/passwd
# auditctl -w /etc/passwd -p war -k audit-passwd
The above command creates a watch on file /etc/passwd.
- –w /etc/passwd – creates a watch for the file /etc/passwd
- -p war – sets permission filter – w for write, r for read, a for attribute change and e for execute.
- –k audit-passwd – here audit-passwd is a key to identify the rule uniquely from the logs.
Basically, the above command tracks /etc/passwd for anyone who attempts to write, read or change attributes of the file.
Now the rule is created, let us login as an unprivileged user and try accessing /etc/passwd file.
$ grep "someinformation" /etc/passwd
$ vim /etc/passwd
The above two commands were performed by a local user called ‘ubuntu’ and those events are expected to be logged in /var/log/audit/audit.log file.
How to find who changed or accessed /etc/passwd?
We will use ausearch command:
# ausearch -f /etc/passwd -i
type=PROCTITLE msg=audit(08/05/2016 11:56:10.088:72) : proctitle=grep --color=auto henry /etc/passwd type=PATH msg=audit(08/05/2016 11:56:10.088:72) : item=0 name=/etc/passwd inode=56913 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=CWD msg=audit(08/05/2016 11:56:10.088:72) : cwd=/home/ubuntu type=SYSCALL msg=audit(08/05/2016 11:56:10.088:72) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x7ffebf6cb887 a2=O_RDONLY|O_NOCT TY a3=0x0 items=1 ppid=14098 pid=14992 auid=ubuntu uid=ubuntu gid=ubuntu euid=ubuntu suid=ubuntu fsuid=ubuntu egid=ubuntu sgid=ubuntu fsgid=ubuntu tty=pts0 s es=1302 comm=grep exe=/bin/grep key=audit-passwd ---- type=PROCTITLE msg=audit(08/05/2016 11:56:12.028:74) : proctitle=vim /etc/passwd type=PATH msg=audit(08/05/2016 11:56:12.028:74) : item=0 name=/etc/passwd inode=56913 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=CWD msg=audit(08/05/2016 11:56:12.028:74) : cwd=/home/ubuntu type=SYSCALL msg=audit(08/05/2016 11:56:12.028:74) : arch=x86_64 syscall=open success=yes exit=3 a0=0x556072132500 a1=O_RDONLY a2=0x0 a3=0x556072347f50 items =1 ppid=14098 pid=14993 auid=ubuntu uid=ubuntu gid=ubuntu euid=ubuntu suid=ubuntu fsuid=ubuntu egid=ubuntu sgid=ubuntu fsgid=ubuntu tty=pts0 ses=1302 comm=vi m exe=/usr/bin/vim.basic key=audit-passwd
The above log output indicates that the user called ubuntu had accessed the file /etc/passwd using commands grep and vim. By default, the log output will use UID and GID, but the option ‘-i‘ will map the uid and gid to the corresponding names (human readable user name and group name).
How to create a watch to monitor changes by a particular user?
#auditctl -w /usr/local/test -p wa -F uid=1001 -k audit-temp
Search the log for events:
#ausearch -ua 1001 -i
The above command will list all the events triggered by the user id 1001.
Creating permanent rules
Note: The rules created using auditctl command are temporary and they will be active until the auditd daemon is restarted. The below commands explains this scenario.
# auditctl -l -w /etc/passwd -p rwa -k audit-passwd -a always,exit -S all -F dir=/etc -F perm=wa -F uid=1001 -F key=audit-temp -a always,exit -S all -F dir=/usr/local/test -F perm=wa -F uid=1001 -F key=audit
The above command prints the list of active rules. Now let us try restarting auditd daemon.
# /etc/init.d/auditd restart [ ok ] Restarting auditd (via systemctl): auditd.service.
Check for the active rules again.
# auditctl -l No rules
Once the auditd daemon is restarted, all the rules that were created using auditctl command will be removed (because they were temporary). If you have been experimenting using auditctl command and want to create those rules permanently, then you can either edit /etc/audit/audit.rules file or create a new rule file under /etc/audit/rules.d/ folder.
# echo "-D" > /etc/audit/rules.d/new.rules # auditctl -l >> /etc/audit/rules.d/new.rules
The first command adds delete rule action before adding the new set of rules.
How to generate audit report?
# aureport Summary Report ====================== Range of time in logs: 08/05/2016 11:45:39.464 - 08/08/2016 06:14:14.328 Selected time for report: 08/05/2016 11:45:39 - 08/08/2016 06:14:14.328 Number of changes in configuration: 7 Number of changes to accounts, groups, or roles: 5 Number of logins: 1 Number of failed logins: 6 Number of authentications: 8 Number of failed authentications: 6 Number of users: 3 Number of terminals: 8 Number of host names: 2 Number of executables: 37 Number of commands: 39 Number of files: 13 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 12 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 2 Number of process IDs: 214 Number of events: 1337
The above command will print the summary report of all recorded events.
Print a summary report of all failed login attempts
# aureport --login --summary -i Login Summary Report ============================ total auid ============================ 6 henry 1 ubuntu
Generate a summary report of executable file events:
# aureport -x --summary
Generate a report of all audit files that are queried and time range of events they include
# aureport -t Log Time Range Report ===================== /var/log/audit/audit.log: 08/05/2016 11:45:39.464 - 08/08/2016 06:17:01.068
Generate a report of all events recorded within date range:
# aureport --start 08/05/2016 00:00:00 --end 08/07/2016 00:00:00
Generate report from ausearch output
# ausearch -k audit-temp | aureport -f -i
How to delete all the audit rules?
# auditctl -D
Note: The above command will delete all the active rules in the running auditd daemon. However, the permanent rules in /etc/audit/audit.rules file will be loaded whenever the auditd is started.
Is that all auditd can do? Nopes! The Linux audit system is capable of doing more and what listed here is just a tiny part of this powerful system. Have a look at the man pages of auditd, auditctl, ausearch and aureport for more information.