There
are cases for an admin, where he needs to identify various operations
performed on a file, or number of commands a particular user has
executed. Linux provides the auditing facilities for these sorts of
operations. Linux Kernel (2.6.x) comes with audit daemon. It’s
responsible for writing audit records to the disk much like logs
information when a specific thing happens.
To
Find Whether audit was already installed or not, we can check using
[root@vx111a
etc]# whereis auditctl
auditctl:
/sbin/auditctl /usr/share/man/man8/auditctl.8.gz
[root@vx111a
etc]# which auditctl
/sbin/auditctl
Or
if the audit is still not installed, you can install them like
[root@localhost
] ~ # yum install audit*
Running
auditd on boot
[root@localhost
] ~ # chkconfig auditd on
[root@localhost
] ~ # ntsysv
Note
: ntsysv is a simple graphical interface for configuring Run levels.
This has the same effet as ‘chkconfig’
After
installing the audit daemon ,we can start that using ,
Service
auditd restart
Now
in order to use the auditing facilities, we have 3 commands
available.
Auditctl:
a command to assist controlling the kernel audit system. The adding,
deleting and status of the audit rules into the kernel system is done
by this command. If we need to set a watch on a particular file, we
can use this command.
Ausearch:
This command is used to query the audit daemon logs for events based
on the search criteria.
Aureport:
command which produces summery reports of the audit system logs.
Autrace:Add
audit rules to trace a process. Similar to strace.
Rcauditd:Controls
the audit init script.
Auditd
has 2 configuration files you need to care about:
/etc/audit/auditd.conf
- configuration file for audit daemon.
/etc/audit/audit.rules
- audit rules to be loaded at startup.
/var/log/audit/audit.log
– the audit log file.
Let’s
configure a watch on the /etc/passwd file like,
[root@vx111a
test]# auditctl -w /etc/passwd -p war -k password-file
In
the above command, we have configured a Watch on the file
/etc/passwd.
-w
/etc/passwd: informing Kernel to watch a file named /etc/passwd.
-p
war: Set permissions files for the file watch.w –
watch,a-append,r-read and x-exeucte.This also indicates that we need
to watch for these actions on the /etc/passwd.
-k
password-file: This is a Filter Key for the file to be watched. It
can uniquely identify the audit records produced by the watch. You
need to use password-file string or phrase while searching audit
logs.
Once
the watch is created on a file. We can see the audit rules that are
available.
[root@vx111a
audit]# auditctl -l
LIST_RULES:
exit,always watch=/etc/passwd perm=rwa key=password-file
LIST_RULES:
exit,always watch=/root/test/sample perm=rwa key=shad
Now
let modify or check for contents in the file like,
[root@vx111a
test]# grep 'root' /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
Now
we checked the file,we can see a alert generated.we can see the audit
on the /etc/passwd file like
[root@vx111a
test]# ausearch -f /etc/passwd
----
time->Tue
Aug 28 14:46:05 2012
type=PATH
msg=audit(1346145365.002:299): item=0 name="/etc/passwd"
inode=1705681 dev=08:08 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD
msg=audit(1346145365.002:299): cwd="/root/test"
type=SYSCALL
msg=audit(1346145365.002:299): arch=40000003 syscall=5 success=yes
exit=3 a0=bfdfda16 a1=8000 a2=0 a3=8000 items=1 ppid=3339 pid=4558
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="grep" exe="/bin/grep"
key="password-file"
Some
of the ausearch commands,
ausearch
-a audit_event_id : Run this search to view all records carrying a
particular audit event ID. Each audit event message is logged along
with a message ID consisting of a UNIX epoch time stamp plus a unique
event ID separated by a colon.
ausearch
-ul login_id : Run this search to view records associated with a
particular login user ID.
ausearch
-k key:Run this search to find records that contain a certain key
assigned in the audit rule set. For example, use ausearch -k CFG_etc
to display any records containing
the
CFG_etc key
ausearch
-m message_type:Run this search to find records related to a
particular
message
type
ausearch
-f filename:Run this search to find records containing a certain
filename. For example, run ausearch -f /foo/bar for.all records
related to the /foo/bar file
ausearch
-p process_id:Run this to search for records related to a certain
process
ID.
For example, use ausearch -p 13368 to search for all records related
to this process ID.
Happy
Learning, More To Come
