Wise people learn when they can; fools learn when they must - Arthur Wellesley

Wednesday, 15 August 2018

LINUX- 38 AUDIT (RHEL-7) P1


                   LINUX- 38 AUDIT (RHEL-7) P1

 Other Posts under audit,
Auditd P2
Auditd P3
Auditd P4

WHAT IS AUDIT AND IT’s SIGNIFICANCE,

What is Audit and why it is required?

If we consider the term Audit in general then it means inspection of something by independent body to validate the authenticity of that thing.

Here in case of Linux, the term Audit is used for inspection of every action on server like,

Security
Stability
Proper functioning
Which file accessed by whom and when
Application misbehaves
All network traffics    
Etc…etc…

PACKAGES:
audit & audit-libs

DAEMON:
auditd

CONFIGURATION FILE:
/etc/audit/auditd.conf = configuration file for audit daemon
/etc/audit/audit.rules = audit rules to be loaded at startup

TOOLS TO ACCESS AUDIT REPORT/LOGS:
auditctl – A utility for controlling the kernel’s audit system.
ausearch – A tool to query audit daemon logs.
aureport – A tool that produces summary reports of audit daemon logs.

It is bound with kernel to watch all system calls and able to see every process and activity on the system with help of audit daemon “auditd”.

Audit kernel component catches system calls, record events and forward these to “auditd”. Where “auditd” generate logs and by default saves it in /var/log/audit

Audit works independently, it has anyhow no relation with syslog.

[root@rhel7-server ~]# rpm -qa |grep -i ^audit*
audit-libs-python-2.3.3-4.el7.x86_64
audit-libs-2.3.3-4.el7.x86_64
audit-2.3.3-4.el7.x86_64

If above not available, then we have to install.

[root@rhel7-server ~]# yum install audit

Let’s check the service state,

[root@rhel7-server ~]# systemctl status auditd
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Sun 2018-08-12 22:20:47 IST; 2 days ago
  Process: 1035 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Main PID: 1034 (auditd)
   CGroup: /system.slice/auditd.service
           ├─1034 /sbin/auditd -n
           ├─1058 /sbin/audispd
           └─1061 /usr/sbin/sedispatch

Aug 12 22:20:46 rhel7-server systemd[1]: Starting Security Auditing Service...
Aug 12 22:20:47 rhel7-server systemd[1]: Started Security Auditing Service.
Aug 12 22:20:49 rhel7-server augenrules[1035]: /sbin/augenrules: No change
Aug 12 22:20:47 rhel7-server auditd[1034]: Started dispatcher: /sbin/audispd pid: 1058
Aug 12 22:20:47 rhel7-server auditd[1034]: Init complete, auditd 2.3.3 listening for events (startup state enable)
Aug 12 22:20:47 rhel7-server audispd[1058]: priority_boost_parser called with: 4
Aug 12 22:20:47 rhel7-server audispd[1058]: max_restarts_parser called with: 10
Aug 12 22:20:47 rhel7-server audispd[1058]: audispd initialized with q_depth=150 and 1 active plugins
Aug 12 22:20:49 rhel7-server augenrules[1035]: No rules
Aug 12 22:20:49 rhel7-server augenrules[1035]: AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=0...klog=0
Hint: Some lines were ellipsized, use -l to show in full.

In my case its already installed and active, but if it’s not active, then start it and don’t forget to enable “run at boot”.

[root@rhel7-server ~]# systemctl start auditd
[root@rhel7-server ~]# systemctl enable auditd

Configuration File,

[root@rhel7-server ~]# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

For detailed info about specified parameters, please refer man pages.

[root@rhel7-server ~]# man auditd.conf

Few of them are,

log_file = /var/log/audit/audit.log # location of log
num_logs = 5 #how many log files to be kept under /var/log/audit
max_log_file = 6 # size of log file in MB
max_log_file_action = ROTATE # what to do once reached to 6 MB
log_format = RAW # The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to RAW, the audit records will be stored in a format exactly as the kernel sends it. The ENRICHED option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.

I want to change few of the parameters,

[root@rhel7-server ~]# vi /etc/audit/auditd.conf

#I changed following values
log_format = ENRICHED
num_logs = 8
max_log_file = 15

Now I will restart the auditd service to make them effective.

[root@rhel7-server ~]# systemctl restart auditd
Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only.

[root@rhel7-server ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
Job for auditd.service failed. See 'systemctl status auditd.service' and 'journalctl -xn' for details.

Now it is stopped but not started,

[root@rhel7-server ~]# systemctl status auditd
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2018-08-15 16:12:08 IST; 21s ago
  Process: 6923 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 6922 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 6922 (code=exited, status=6)

Aug 15 16:12:08 rhel7-server systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Aug 15 16:12:08 rhel7-server augenrules[6923]: /sbin/augenrules: No change
Aug 15 16:12:08 rhel7-server augenrules[6923]: No rules
Aug 15 16:12:08 rhel7-server augenrules[6923]: AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=0...klog=0
Aug 15 16:12:08 rhel7-server systemd[1]: Failed to start Security Auditing Service.
Aug 15 16:12:08 rhel7-server systemd[1]: Unit auditd.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.

# systemctl status auditd.service ? auditd.service - auditd Daemon
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2018-08-15 16:12:48 IST; 2min 51s ago
  Process: 6968 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 6967 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 6967 (code=exited, status=6)

Aug 15 16:12:48 rhel7-server systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Aug 15 16:12:48 rhel7-server augenrules[6968]: /sbin/augenrules: No change
Aug 15 16:12:48 rhel7-server augenrules[6968]: No rules
Aug 15 16:12:48 rhel7-server augenrules[6968]: AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=0...klog=0
Aug 15 16:12:48 rhel7-server systemd[1]: Failed to start Security Auditing Service.
Aug 15 16:12:48 rhel7-server systemd[1]: Unit auditd.service entered failed state.

\x3f.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)


auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2018-08-15 16:12:48 IST; 2min 52s ago
  Process: 6968 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 6967 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 6967 (code=exited, status=6)

Aug 15 16:12:48 rhel7-server systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Aug 15 16:12:48 rhel7-server augenrules[6968]: /sbin/augenrules: No change
Aug 15 16:12:48 rhel7-server augenrules[6968]: No rules
Aug 15 16:12:48 rhel7-server augenrules[6968]: AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=0...klog=0
Aug 15 16:12:48 rhel7-server systemd[1]: Failed to start Security Auditing Service.
Aug 15 16:12:48 rhel7-server systemd[1]: Unit auditd.service entered failed state.

-.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)


auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2018-08-15 16:12:48 IST; 2min 52s ago
  Process: 6968 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 6967 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 6967 (code=exited, status=6)

Aug 15 16:12:48 rhel7-server systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Aug 15 16:12:48 rhel7-server augenrules[6968]: /sbin/augenrules: No change
Aug 15 16:12:48 rhel7-server augenrules[6968]: No rules
Aug 15 16:12:48 rhel7-server augenrules[6968]: AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 lost=0...klog=0
Aug 15 16:12:48 rhel7-server systemd[1]: Failed to start Security Auditing Service.
Aug 15 16:12:48 rhel7-server systemd[1]: Unit auditd.service entered failed state.

Daemon.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Hint: Some lines were ellipsized, use -l to show in full.

[root@rhel7-server ~]# systemctl stop auditd.service
Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only.

Was really unable to identify the issue, and just fired

[root@rhel7-server ~]# aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Option ENRICHED not found - line 6  ççç
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2018 14:01:31 4791 5004 ? 218 su "redhat",<nl>
============O/P Truncated=======================

Then I changed the parameter
from “log_format = ENRICHED” to “log_format = RAW”
in /etc/audit/auditd.conf

[root@rhel7-server ~]# systemctl start auditd.service
[root@rhel7-server ~]# systemctl status auditd
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Wed 2018-08-15 16:34:47 IST; 9min ago
  Process: 2657 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Main PID: 2656 (auditd)
   CGroup: /system.slice/auditd.service
           ├─2656 /sbin/auditd -n
           ├─2660 /sbin/audispd
           └─2676 /usr/sbin/sedispatch

Aug 15 16:34:47 rhel7-server auditd[2656]: Started dispatcher: /sbin/audispd pid: 2660
Aug 15 16:34:47 rhel7-server augenrules[2657]: /sbin/augenrules: No change
Aug 15 16:34:47 rhel7-server auditd[2656]: Init complete, auditd 2.3.3 listening for events (startup state enable)
Aug 15 16:34:47 rhel7-server augenrules[2657]: No rules
Aug 15 16:34:47 rhel7-server augenrules[2657]: AUDIT_STATUS: enabled=1 flag=1 pid=2656 rate_limit=0 backlog_limit=320 los...klog=1
Aug 15 16:34:47 rhel7-server systemd[1]: Started Security Auditing Service.
Aug 15 16:34:47 rhel7-server audispd[2660]: priority_boost_parser called with: 4
Aug 15 16:34:47 rhel7-server audispd[2660]: max_restarts_parser called with: 10
Aug 15 16:34:47 rhel7-server audispd[2660]: audispd initialized with q_depth=150 and 1 active plugins
Hint: Some lines were ellipsized, use -l to show in full.

Searched for this and found there is some bug with this format.

REPORTING,

Must be root or sudo access to root to view,

[anurag@rhel7-server ~]$ auditctl
bash: /usr/sbin/auditctl: Permission denied

[anurag@rhel7-server ~]$ aureport
Summary Report
======================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)

[root@rhel7-server ~]# aureport

Summary Report
======================
Range of time in logs: 11/18/2017 22:53:28.063 - 08/15/2018 17:31:10.650
Selected time for report: 11/18/2017 22:53:28 - 08/15/2018 17:31:10.650
Number of changes in configuration: 33
Number of changes to accounts, groups, or roles: 130
Number of logins: 105
Number of failed logins: 17
Number of authentications: 237
Number of failed authentications: 45
Number of users: 9
Number of terminals: 37
Number of host names: 7
Number of executables: 23
Number of files: 1
Number of AVC's: 14
Number of MAC events: 137
Number of failed syscalls: 0
Number of anomaly events: 11
Number of responses to anomaly events: 0
Number of crypto events: 1601
Number of keys: 0
Number of process IDs: 12140
Number of events: 27807

Without any configuration auditd has already initiated logging critical information’s.

Authentication Report = -au

[root@rhel7-server ~]# aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 11/18/2017 17:27:37 gdm ? :0 /usr/libexec/gdm-session-worker yes 351
2. 11/19/2017 17:29:16 root ? :0 /usr/libexec/gdm-session-worker yes 410
3. 11/19/2017 17:31:22 root 192.168.135.1 ssh /usr/sbin/sshd yes 438
4. 11/19/2017 17:31:22 root 192.168.135.1 ssh /usr/sbin/sshd yes 441
5. 11/25/2017 16:16:56 gdm ? :0 /usr/libexec/gdm-session-worker yes 316
6. 11/25/2017 16:19:56 root ? :0 /usr/libexec/gdm-session-worker yes 355
7. 11/25/2017 16:25:38 root 192.168.135.1 ssh /usr/sbin/sshd yes 419
8. 11/25/2017 16:25:38 root 192.168.135.1 ssh /usr/sbin/sshd yes 422
9. 12/02/2017 15:15:10 root ? :0 /usr/libexec/gdm-session-worker yes 609
10. 04/08/2018 14:50:30 root ? :0 /usr/libexec/gdm-session-worker yes 875
11. 04/21/2018 14:23:22 root 192.168.135.1 ssh /usr/sbin/sshd yes 934
12. 04/21/2018 14:23:22 root 192.168.135.1 ssh /usr/sbin/sshd yes 937
==============O/P REMOVED=============================
279. 08/15/2018 12:38:39 root 192.168.135.1 ssh /usr/sbin/sshd yes 1149
280. 08/15/2018 12:38:39 root 192.168.135.1 ssh /usr/sbin/sshd yes 1152
281. 08/15/2018 16:02:10 root 192.168.135.1 ssh /usr/sbin/sshd yes 1556
282. 08/15/2018 16:02:10 root 192.168.135.1 ssh /usr/sbin/sshd yes 1559
283. 08/15/2018 17:31:46 root 192.168.135.1 ssh /usr/sbin/sshd yes 98
284. 08/15/2018 17:31:46 root 192.168.135.1 ssh /usr/sbin/sshd yes 101
285. 08/15/2018 17:32:04 anurag ? pts/3 /usr/bin/su yes 117

[root@rhel7-server ~]# aureport -au |grep no |tail -10
245. 08/11/2018 19:23:48 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4600
246. 08/11/2018 19:25:27 xyz 192.168.135.1 ssh /usr/sbin/sshd no 4607
247. 08/11/2018 19:25:27 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4608
248. 08/11/2018 19:41:50 xyz 192.168.135.1 ssh /usr/sbin/sshd no 4627
249. 08/11/2018 19:41:50 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4628
254. 08/12/2018 13:56:14 xyz 192.168.135.1 ssh /usr/sbin/sshd no 4744
255. 08/12/2018 13:56:14 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4745
256. 08/12/2018 13:56:21 xyz 192.168.135.1 ssh /usr/sbin/sshd no 4746
257. 08/12/2018 13:56:21 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4747
286. 08/15/2018 17:51:05 root ? pts/4 /usr/bin/su no 162

User ID Report = -u -i (-u for user & -i for real id)

[root@rhel7-server ~]# aureport -u -i
[root@rhel7-server ~]# aureport -u -i |grep "08/15/2018 17:55:42"
27915. 08/15/2018 17:55:42 anurag pts/5 ? /usr/bin/su 226

aureport --success
Run this report to get statistics of successful events on your system. This report includes the same event categories as the summary report. To get detailed information for a particular event type, run the individual report adding the --success option to filter for successful events of this type, for example,

aureport -f --success to display all successful file-related events.

aureport --failed
Run this report to get statistics of failed events on your system. This report includes the same event categories as the summary report. To get detailed information for a particular event type, run the individual report adding the --failed option to filter for failed events of this type, such as

aureport -f --failed to display all failed file-related events.

aureport -l
Run this command to generate a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, as well as name of the executable, success or failure of the attempt, and an event ID.

aureport -p
Run this report to generate a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number.

aureport -f
Run this report to generate a numbered list of all file-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number.

aureport -u
Run this report to find out which users are running what executables on your system. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID.


LOG FILE AND REPORT ANALYSIS:

[root@rhel7-server ~]# ausearch -l |grep userdel
type=DEL_USER msg=audit(1524310852.987:1120): pid=37012 uid=0 auid=0 ses=54 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting user entries id=1001 exe="/usr/sbin/userdel" hostname=? addr=? terminal=pts/1 res=success'
type=DEL_GROUP msg=audit(1524310852.987:1121): pid=37012 uid=0 auid=0 ses=54 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting group acct="test1" exe="/usr/sbin/userdel" hostname=? addr=? terminal=pts/1 res=success'
type=DEL_GROUP msg=audit(1524310852.987:1122): pid=37012 uid=0 auid=0 ses=54 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting shadow group acct="test1" exe="/usr/sbin/userdel" hostname=? addr=? terminal=pts/1 res=success'


ausearch -a audit_event_id
Run this search to view all records carrying a particular audit event ID

[root@rhel7-server ~]# aureport -au |grep no |tail -10
246. 08/11/2018 19:25:27 xyz 192.168.135.1 ssh /usr/sbin/sshd no 4607
247. 08/11/2018 19:25:27 (invalid user) 192.168.135.1 ssh /usr/sbin/sshd no 4608

Here 4607 & 4608 are event Id’s.

[root@rhel7-server ~]# ausearch -a 4607
----
time->Sun Jul 15 18:52:05 2018
type=SYSCALL msg=audit(1531660925.994:4607): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=d99ac0 items=0 ppid=12842 pid=15604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1531660925.994:4607): table=mangle family=10 entries=18
----
time->Sun Jul 22 15:51:53 2018
type=SYSCALL msg=audit(1532254913.687:4607): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=9c04b0 items=0 ppid=1032 pid=9305 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1532254913.687:4607): table=filter family=2 entries=96
----
time->Sat Aug 11 19:25:27 2018
type=USER_AUTH msg=audit(1533995727.071:4607): pid=24316 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="xyz" exe="/usr/sbin/sshd" hostname=192.168.135.1 addr=192.168.135.1 terminal=ssh res=failed'

ausearch -ul login_id
Run this search to view records associated with a particular login user ID.

[root@rhel7-server ~]# ausearch -ul anurag
----
time->Sun Apr 29 14:47:34 2018
type=LOGIN msg=audit(1524993454.401:1636): pid=41638 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1
000 old-ses=4294967295 ses=129 res=1
==============O/P REMOVED======================
time->Wed Aug 15 18:13:40 2018
type=USER_TTY msg=audit(1534337020.811:393): pid=3898 uid=0 auid=1000 ses=13 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.
c1023 data=636174202F6574632F706173737764
----
time->Wed Aug 15 18:13:40 2018
type=TTY msg=audit(1534337020.811:392): tty pid=3898 uid=0 auid=1000 ses=13 major=136 minor=6 comm="bash" data=636174202F6574632F7
061737377640D

ausearch -k key
Run this search to find records that contain a certain key assigned in the audit rule set.

ausearch -m message_type
Run this search to find records related to a particular message type.
**ausearch -m without a message type displays a list of all message types.

[root@rhel7-server ~]# ausearch -m
Argument is required for -m
Valid message types are: ALL USER LOGIN USER_AUTH USER_ACCT USER_MGMT CRED_ACQ CRED_DISP USER_START USER_END USER_AVC USER_CHAUTHTOK USER_ERR CRED_REFR USYS_CONFIG USER_LOGIN USER_LOGOUT ADD_USER DEL_USER ADD_GROUP DEL_GROUP DAC_CHECK CHGRP_ID TEST TRUSTED_APP USER_SELINUX_ERR USER_CMD USER_TTY CHUSER_ID GRP_AUTH SYSTEM_BOOT SYSTEM_SHUTDOWN SYSTEM_RUNLEVEL SERVICE_START SERVICE_STOP DAEMON_START DAEMON_END DAEMON_ABORT DAEMON_CONFIG DAEMON_ROTATE DAEMON_RESUME DAEMON_ACCEPT DAEMON_CLOSE SYSCALL PATH IPC SOCKETCALL CONFIG_CHANGE SOCKADDR CWD EXECVE IPC_SET_PERM MQ_OPEN MQ_SENDRECV MQ_NOTIFY MQ_GETSETATTR KERNEL_OTHER ==============O/P REMOVED======================

[root@rhel7-server ~]# ausearch -m ADD_USER

ausearch -f filename
Run this search to find records containing a certain filename.

[root@rhel7-server ~]# ausearch -f /etc/passwd
<no matches>

**We must enable watch on that file for auditing.

[root@rhel7-server ~]# ausearch -f /etc/passwd
----
time->Wed Aug 15 18:21:49 2018
type=PATH msg=audit(1534337509.553:491): item=0 name="/etc/passwd" inode=36642095 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1534337509.553:491):  cwd="/root"
type=SYSCALL msg=audit(1534337509.553:491): arch=c000003e syscall=2 success=yes exit=3 a0=7f87afd53d8a a1=80000 a2=1b6 a3=0 items=1 ppid=2540 pid=4215 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="password-file"
==============O/P REMOVED======================


ausearch -p process_id
Run this to search for records related to a certain process ID.

[root@rhel7-server ~]# ausearch -p 45406
----
time->Tue May  1 16:49:43 2018
type=ADD_GROUP msg=audit(1525173583.598:2104): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group acct="raman" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue May  1 16:49:43 2018
type=ADD_USER msg=audit(1525173583.670:2105): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1003 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'
----
time->Tue May  1 16:49:43 2018
type=ADD_USER msg=audit(1525173583.677:2106): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding home directory id=1003 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'




Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)