LINUX- 39 AUDIT (RHEL-7) P2
WHAT IS AUDIT AND IT’s
SIGNIFICANCE,
HOW TO CREATE/DELETE/EDIT/DISABLE/REMOVE AUDIT LOGS:
Apart
from default auditing we can configure the rules to direct auditd to keep watch
on particular file/action.
The
Audit system operates on a set of rules that define what is to be captured in
the log files. There are three types of Audit rules that can be specified:
Control rules — allow the
Audit system's behavior and some of its configuration to be modified.
File system rules — also known as
file watches, allow the auditing of access to a particular file or a directory.
System call rules — allow logging
of system calls that any specified program makes.
[root@rhel7-server ~]# cat /etc/audit/audit.rules
##
This file is automatically generated from /etc/audit/rules.d
-D
-b
320
#
Delete all previous rules
-D
#
Set buffer size
-b
8192
#
Make the configuration immutable -- reboot is required to change audit rules
-e
2
#
Panic when a failure occurs
-f
2
#
Generate at most 100 audit messages per second
-r
100
CONTROL RULES:
-D
Rule
to delete any preexisting rules (-D) (to avoid clashes with the new rules)
-b
Depending
on the audit load of your system, increase or decrease the number of
outstanding audit buffers. If there are no more buffers left, the kernel checks
the failure flag for action.
-f
The
failure flag controls the kernel's reaction to critical errors. Possible values
are 0 (silent), 1 (printk, print a failure message), and 2 (panic, bring the
system down—no clean shutdown and risk of data loss or corruption).
[root@rhel7-server ~]# auditctl -f 2
AUDIT_STATUS: enabled=1 flag=2 pid=2656 rate_limit=0
backlog_limit=320 lost=0 backlog=1
The
above configuration triggers a kernel panic in case of a critical error.
**Don’t
do this,
[root@rhel7-server ~]# auditctl -f 1
AUDIT_STATUS: enabled=1 flag=1 pid=1011 rate_limit=0
backlog_limit=320 lost=0 backlog=1
1
is default and good.
-e
If
set to 1, this enables audit and audit contexts for system calls. Setting it to
2 does the same, but also locks down the configuration. Set to 0, audit is
disabled. This flag is used to enable or disable audit temporarily.
-r
sets
the rate of generated messages per second
[root@rhel7-server ~]# auditctl -r 0
AUDIT_STATUS: enabled=1 flag=2 pid=2656 rate_limit=0 backlog_limit=320 lost=0 backlog=1
[root@rhel7-server ~]# auditctl -r 1
AUDIT_STATUS: enabled=1 flag=2 pid=2656 rate_limit=1 backlog_limit=320 lost=0 backlog=1
-s
reports
the status of the Audit system
[root@rhel7-server ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=2656 rate_limit=0
backlog_limit=320 lost=0 backlog=0
-l
lists
all currently loaded Audit rules
[root@rhel7-server ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd perm=rwa
key=password-file
FILE SYSTEM RULES:
How to create file system
rules for audit,
auditctl -w path_to_file -p
permissions -k key_name
w – is used to specify a file or directory to have keep a watch on
that.
path_to_file – Absolute path of file
-p permissions – what permissions to be logged
r — read access to a
file or a directory.
w — write access to
a file or a directory.
x — execute access
to a file or a directory.
a — change in the
file's or directory's attribute.
-k key_name - is an optional string that helps you identify which
rule or a set of rules generated a particular log entry.
FOR FILES,
# auditctl -w /etc/hosts -p wrxa -k host-file-change
# auditctl -w /etc/passwd -p wrxa -k passwd-file-change
# auditctl -w /etc/ssh/sshd_config -p rwxa -k ssh-file-change
How to list the rules,
[root@rhel7-server ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa
key=passwd-file-change
How to search the access and
changes on files,
[root@rhel7-server ~]# ausearch -f /etc/passwd
FOR DIRECTORIES,
[root@rhel7-server ~]# mkdir /audit-test-dir
# auditctl -w /audit-test-dir -p rwxa -k test-dir-change
[root@rhel7-server ~]# cd /audit-test-dir
[root@rhel7-server audit-test-dir]# touch f1 f2 f3
[root@rhel7-server audit-test-dir]# chmod 777 /audit-test-dir/f1
How to list the rules,
[root@rhel7-server audit-test-dir]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa
key=passwd-file-change
LIST_RULES: exit,always dir=/audit-test-dir
perm=rwxa key=test-dir-change
How to search the access and
changes on directories,
[root@rhel7-server audit-test-dir]# ausearch -f /audit-test-dir
----
time->Sun Aug 26 14:49:58 2018
type=PATH msg=audit(1535275198.448:2128): item=1
name="f1" inode=2068738 dev=fd:00 mode=0100644 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=CREATE
type=PATH msg=audit(1535275198.448:2128): item=0
name="/audit-test-dir" inode=2068737 dev=fd:00 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=PARENT
type=CWD msg=audit(1535275198.448:2128): cwd="/audit-test-dir"
type=SYSCALL msg=audit(1535275198.448:2128):
arch=c000003e syscall=2 success=yes exit=3 a0=7fff1589482a a1=941 a2=1b6
a3=7fff15892510 items=2 ppid=3378 pid=3745 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="touch"
exe="/usr/bin/touch"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="test-dir-change"
----
======================= O/P
TRUNCATED ========================================
----
time->Sun Aug 26 14:50:14 2018
type=PATH msg=audit(1535275214.898:2157): item=0
name="." inode=2068737 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:default_t:s0 objtype=NORMAL
type=CWD msg=audit(1535275214.898:2157): cwd="/audit-test-dir"
type=SYSCALL msg=audit(1535275214.898:2157):
arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=4a9ad7
a2=90800 a3=0 items=1 ppid=3377 pid=3378 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="bash" exe="/usr/bin/bash"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="test-dir-change"
----
time->Sun Aug 26 14:50:17 2018
type=PATH msg=audit(1535275217.912:2162): item=0
name="/audit-test-dir/f1" inode=2068738 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=NORMAL
type=CWD msg=audit(1535275217.912:2162): cwd="/audit-test-dir"
type=SYSCALL msg=audit(1535275217.912:2162):
arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=13fe0f0
a2=1ff a3=7fff2a75b860 items=1 ppid=3378 pid=3755 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="chmod"
exe="/usr/bin/chmod"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="test-dir-change"
SYSTEM CALL RULES:
auditctl -a action,filter -S
system_call -F field=value -k key_name
when
a certain event is logged,
-a action,filter: action can be either “always” or “never”.
filter
specifies which kernel rule-matching filter is applied to the event. The
rule-matching filter can be one of the following: task, exit, user, and
exclude.
The
kernel component receives system calls from user-space applications and filters
them through defined filters.
-S system call – system call name.
-F field – specifies additional options such as architecture,
PID, GID etc to modify rule.
-k key_name - is an optional string that helps you identify which
rule or a set of rules generated a particular log entry.
How to watch/find file/dir
access/changes done by a particular user,
# auditctl -a exit,always -F arch=x86_64 -S open -F auid=0
-F arch=x86_64 Define what
architecture is used, to monitor the right syscall.
To find
the architecture,
[root@rhel7-server ~]# uname -m
x86_64
-S open Select the
“open” syscall
-F auid=0 The related user
ID
How to make the rules
permanent,
[root@rhel7-server ~]# auditctl -l
No
rules
[root@rhel7-server ~]# vi /etc/audit/rules.d/audit.rules
# This file contains the auditctl rules that are
loaded
# whenever the audit daemon is started via the
initscripts.
# The rules are simply the parameters that would be
passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man
page
-w
/etc/hosts -p wrxa -k host-file-change #çç
-w
/etc/passwd -p wrxa -k passwd-file-change #çç
-w
/etc/ssh/sshd_config -p rwxa -k ssh-file-change #çç
-w
/audit-test-dir -p rwxa -k test-dir-change #çç
-a
exit,always -F arch=x86_64 -S open -F auid=0 #çç
Add the rules manually at
end of file……
[root@rhel7-server ~]# auditctl -l
No
rules
[root@rhel7-server ~]# systemctl reload auditd
[root@rhel7-server ~]# auditctl -l
No rules
[root@rhel7-server ~]# systemctl restart auditd
Failed to issue method call: Operation refused, unit
auditd.service may be requested by dependency only.
[root@rhel7-server ~]# systemctl status auditd |grep -i active
Active: active (running) since Sun 2018-08-26
16:00:57 IST; 1min 21s ago
Aug 26 16:00:57 rhel7-server audispd[4690]: audispd
initialized with q_depth=150 and 1 active plugins
[root@rhel7-server ~]# service auditd restart
Stopping logging:
[ OK ]
Redirecting start to /bin/systemctl start
auditd.service
[root@rhel7-server ~]# systemctl status auditd |grep -i active
Active: active (running) since Sun 2018-08-26
16:00:57 IST; 1min 21s ago
Aug 26 16:00:57 rhel7-server audispd[4690]: audispd
initialized with q_depth=150 and 1 active plugins
[root@rhel7-server ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa
key=passwd-file-change
LIST_RULES: exit,always watch=/etc/ssh/sshd_config
perm=rwxa key=ssh-file-change
LIST_RULES: exit,always dir=/audit-test-dir
perm=rwxa key=test-dir-change
LIST_RULES: exit,always arch=3221225534 (0xc000003e)
auid=0 syscall=open
How to exclude the unwanted
messages from log report,
[root@rhel7-server ~]# vi /etc/audit/rules.d/audit.rules
#
Exclude all cwd message types
-a
exclude,always -F msgtype=CWD
##
Ignore EOE records (End Of Event, not needed)
-a
always,exclude -F msgtype=EOE
##
Cron jobs fill the logs with stuff we normally don't want
-A
exclude,always -F subj_type=crond_t
##
Exclude service start & stop messages
-A
exclude,always -F msgtype=SERVICE_START
-A
exclude,always -F msgtype=SERVICE_STOP
From
Man pages,
user Add a rule to the user message filter
list. This
list is used by the
kernel to filter events
originating in user
space before relaying them to
the audit daemon. It
should be noted that the only
fields that are valid
are: uid, auid, gid, pid,
subj_user, subj_role,
subj_type, subj_sen,
subj_clr, and
msgtype. All other fields will be
treated as
non-matching. It should be understood
that any event
originating from user space from a
process that has
CAP_AUDIT_WRITE will be recorded
into the audit trail.
This means that the most
likely use for this filter is
with rules that have
an action of never
since nothing has to be done to
allow events to be
recorded.
exclude Add a rule to the event type exclusion
filter
list. This list is
used to filter events that you
do not want to see.
For example, if you do not
want to see any avc
messages, you would using this
list to record that.
Events can be excluded by
process ID, user ID,
group ID, login user ID,
message type or
subject context. The action is
ignored and uses its
default of "never".
How to disable auditing
temporarily,
For
time being lock the rules for to report auditing,
# auditctl -e [0 1 2]
0 =
will disable auditing
1 =
will enable auditing
2 =
will lock current audit rules, no rules can be added/edited/removed.
Even the audit daemon can’t be stopped.
[root@rhel7-server ~]# auditctl -e 0
AUDIT_STATUS: enabled=0 flag=1 pid=4687 rate_limit=0
backlog_limit=320 lost=0 backlog=5
[root@rhel7-server ~]# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=4687 rate_limit=0
backlog_limit=320 lost=0 backlog=0
How to remove audit rules,
Remove all rules in one go,
[root@rhel7-server ~]# auditctl -D
No
rules
[root@rhel7-server ~]# auditctl -l
No
rules
Though
the rules are available at “/etc/audit/rules.d/audit.rules”
But
not effective,
Restart
the “auditd” to make them effective.
[root@rhel7-server ~]# service auditd restart
Stopping
logging:
[ OK ]
Redirecting
start to /bin/systemctl start auditd.service
[root@rhel7-server ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa
key=passwd-file-change
LIST_RULES: exit,always watch=/etc/ssh/sshd_config
perm=rwxa key=ssh-file-change
LIST_RULES: exit,always dir=/audit-test-dir
perm=rwxa key=test-dir-change
LIST_RULES: exit,always arch=3221225534 (0xc000003e)
auid=0 syscall=open
Removing file system rules
temporarily,
Use
-W instead of -w
[root@rhel7-server ~]# auditctl -l |grep -i host
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
[root@rhel7-server ~]# auditctl -W /etc/hosts -p wrxa -k
host-file-change
[root@rhel7-server ~]# auditctl -l |grep -i host
[root@rhel7-server ~]# cat /etc/audit/rules.d/audit.rules |grep -i
host
-w
/etc/hosts -p wrxa -k host-file-change
Rule
is available in config file, but not in action. Just restart the service and
will available.
[root@rhel7-server ~]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start
auditd.service
[root@rhel7-server ~]# auditctl -l |grep -i host
LIST_RULES: exit,always watch=/etc/hosts perm=rwxa
key=host-file-change
To remove
the rule permanently, just delete the entry from config file.
Removing system call rules temporarily,
Use
-d instead of -a/-A
[root@rhel7-server ~]# auditctl -l |grep -i auid
LIST_RULES: exit,always arch=3221225534 (0xc000003e)
auid=0 syscall=open
# auditctl -d exit,always -F arch=x86_64 -S open -F auid=0
[root@rhel7-server ~]# auditctl -l |grep -i auid
To remove
the rule permanently, just delete the entry from config file.
No comments:
Post a Comment