Auditing Linux Systems with Audit Daemon

by Applied Informatics

Auditing is the on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements.  Linux audit allows you to log access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions. Using a well defined set of rules including file watchers and system call auditing, you can make sure that any violation of your security policies is noted and properly addressed.

Linux based utility, auditd is the userspace component of Linux systems that addresses the system auditing goals. It’s responsible for writing audit records to the disk. It provides handy utilities viz., ausearch or aureport,  for viewing and analyzing these system audit logs. Configuring the audit rules is done with the auditctl utility. System adminstrators can create audit rules explicitly by editing the default rules file located under /etc/audit/audit.rules. These rules are read by auditctl and loaded for introspection by audit daemon. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file under same location.

Auditing goals

Setting up a powerful audit framework, the system can track many event types to monitor and audit the system.

  • Audit file access and modification
    • Users modifying a particular file
    • Detect unauthorized changes
  • Monitoring of system calls and functions
  • Processes crash reports
  • Set rules to detect system intrusions
  • Logging commands used by individual users

Installation

The package can be installed from CLI by using apt.

sudo apt-get install auditd audispd-plugins

Configuring the daemon

The configuration of the audit daemon is controlled by two files, one for the daemon itself i.e., auditd.conf file and other for the rules used by the auditctl tool i.e., audit.rules.

i) auditd.conf

The file auditd.conf configures Linux audit daemon with focus on where and how it should log events. It also defines how to deal with full disks, log rotation and the number of logs to keep. Usually the default configuration will be appropriate for most systems.

ii) audit.rules

Audit rules are used to specify which components of your system are audited. There are three basic types of audit rules:

  • Basic audit system parameters
  • File and directory watches
  • System call audits
Sample audit.rules file to explain various types of rules.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# system_time_changes
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time_changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time_changes
-w /etc/localtime -p wa -k time_changes
# audit_root_dir
-w /root -p wxa -k root_changes
# audit_account_changes
-w /etc/group -p wa -k account_changes
-w /etc/passwd -p wa -k account_changes

# network_modifications
-w /etc/hosts -p wa -k network_modifications
# Discretionary access control permission modification (unsuccessful and successful use of chown/chmod)
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
 
## Use of privileged commands (unsuccessful and successful)
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
## Files and programs deleted by the user (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /etc/sudoers -p wa -k actions

 

As with most things, use a clean start and without any loaded rules. Active rules can be determined by running auditctl with the -l parameter. Listed below is an example of how to add a rule to audit.rules file using auditctl tool. 

 auditctl -a exit,always -F path=/var/spool/cron/crontabs/root -F perm=wa

The above rule will set a watcher to detect any writes to system crontab file.The perm  parameter determines what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two. The four options are:

  • r = read
  • w = write
  • x = execute
  • a = attribute change

Generating Reports

Every audit event is recorded in the audit log, /var/log/audit/audit.log. To avoid having to read the raw audit log, configure custom audit reports with aureport and run them regularly. Use the aureport tool to create various types of reports filtering for different fields of the audit records in the log.

aureport --summary

This gives overview of the current audit statistics (events, logins, processes, etc.).

aureport --success

Returns statistics of successful events on your system. For detailed information on a particular event type, run the individual report adding the filter for successful events. For example,  aureport -f --success will display all successful file-related events.

aureport --failed

Returns statistics of failed events on your system.  For detailed information for a particular event type, run the individual report adding the filter for failed events. For example, aureport  -f --failed will display all failed file-related events.

aureport -l

Returns a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, as well as name of the executable, success or failure of the attempt, and an event ID.

aureport -p

Returns a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number.

aureport -f

Returns numbered list of all file-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number.

aureport -u

This will tell us which users are running what executables on your system. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID.

The use of -ts and -te, start time and end time, options with any of the above commands limits your reports to a certain time frame. The -i option with any of these commands transforms numeric entities to human-readable text. The following command creates a file report for the time between 8 am and 5:30 pm on the current day and converts numeric entries to text.

aureport -ts 8:00 -te 17:30 -f -i

Analyzing Audit Log Files and Reports

While aureport helps you generate custom reports focusing on a certain area, ausearch helps you find the detailed log entry of individual events:

ausearch -a audit_event_id
Run this search to view all records carrying a particular audit event ID. Each audit event message is logged, along with a message ID consisting of a UNIX epoch time stamp plus a unique event ID, separated by a colon. All events that are logged from one application’s system call have the same event ID. For example, use ausearch -a 1234 to display all audit events carrying this audit event ID. As one application’s system call may trigger several events to be logged, you are likely to retrieve more than one record from the log.
ausearch -ul login_id
Run this search to view records associated with a particular login user ID. It displays any records related to the user login ID specified, provided that user had been able to log in successfully. For example, use ausearch -ul root to list all processes owned by the given login user ID.
ausearch -k key
Run this search to find records that contain a certain key assigned in the audit rule set. For example, use ausearch -k CFG_etc to display any records containing the CFG_etc key.
ausearch -m message_type
Run this search to find records related to a particular message type. Examples of valid message types include PATH, SYSCALL, USER_LOGIN. Invoking ausearch -m without a message type displays a list of all message types.
ausearch -f filename
Run this search to find records containing a certain filename. For example, run ausearch -f /foo/bar for all records related to the /foo/bar file. Using the filename alone would work as well, but using relative paths would not.
ausearch -p process_id
Run this to search for records related to a certain process ID. For example, use ausearch -p 13368 to search for all records related to this process ID.

Use the -ts and -te (start time and end time) options with any of these commands to limit your reports to a certain time frame. Use the -i option with any of these to transform numeric entities to human readable text. The following command searches for any file event related to audit.log that took place any time between 8 am and 5:30 pm on the current day and converts numeric entries to text.

The Linux audit daemon can provide valuable auditing data. If not available, it will advice you to install. For proper intrusion detection, integration with an Intrusion Detection System (IDS) is key to discover events when they occur and take appropriate actions.

To learn more about

Contact Us

Leave a Reply

Your email address will not be published. Required fields are marked *

Tools & Practices

Tools and Technologies we use at Applied

Contact us now

Popular Posts