Wednesday, August 29, 2012

Auditing in Linux

There are cases for an admin, where he needs to identify various operations performed on a file, or number of commands a particular user has executed. Linux provides the auditing facilities for these sorts of operations. Linux Kernel (2.6.x) comes with audit daemon. It’s responsible for writing audit records to the disk much like logs information when a specific thing happens.

To Find Whether audit was already installed or not, we can check using

[root@vx111a etc]# whereis auditctl
auditctl: /sbin/auditctl /usr/share/man/man8/auditctl.8.gz

[root@vx111a etc]# which auditctl

Or if the audit is still not installed, you can install them like

[root@localhost ] ~ # yum install audit*
Running auditd on boot
[root@localhost ] ~ # chkconfig auditd on
[root@localhost ] ~ # ntsysv

Note : ntsysv is a simple graphical interface for configuring Run levels. This has the same effet as ‘chkconfig’

After installing the audit daemon ,we can start that using ,

Service auditd restart

Now in order to use the auditing facilities, we have 3 commands available.

Auditctl: a command to assist controlling the kernel audit system. The adding, deleting and status of the audit rules into the kernel system is done by this command. If we need to set a watch on a particular file, we can use this command.

Ausearch: This command is used to query the audit daemon logs for events based on the search criteria.

Aureport: command which produces summery reports of the audit system logs.

Autrace:Add audit rules to trace a process. Similar to strace.

Rcauditd:Controls the audit init script.

Auditd has 2 configuration files you need to care about:

/etc/audit/auditd.conf - configuration file for audit daemon.
/etc/audit/audit.rules - audit rules to be loaded at startup.
/var/log/audit/audit.log – the audit log file.

Let’s configure a watch on the /etc/passwd file like,

[root@vx111a test]# auditctl -w /etc/passwd -p war -k password-file

In the above command, we have configured a Watch on the file /etc/passwd.

-w /etc/passwd: informing Kernel to watch a file named /etc/passwd.

-p war: Set permissions files for the file watch.w – watch,a-append,r-read and x-exeucte.This also indicates that we need to watch for these actions on the /etc/passwd.

-k password-file: This is a Filter Key for the file to be watched. It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

Once the watch is created on a file. We can see the audit rules that are available.

[root@vx111a audit]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd perm=rwa key=password-file
LIST_RULES: exit,always watch=/root/test/sample perm=rwa key=shad

Now let modify or check for contents in the file like,

[root@vx111a test]# grep 'root' /etc/passwd

Now we checked the file,we can see a alert generated.we can see the audit on the /etc/passwd file like

[root@vx111a test]# ausearch -f /etc/passwd
time->Tue Aug 28 14:46:05 2012
type=PATH msg=audit(1346145365.002:299): item=0 name="/etc/passwd" inode=1705681 dev=08:08 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1346145365.002:299): cwd="/root/test"
type=SYSCALL msg=audit(1346145365.002:299): arch=40000003 syscall=5 success=yes exit=3 a0=bfdfda16 a1=8000 a2=0 a3=8000 items=1 ppid=3339 pid=4558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="grep" exe="/bin/grep" key="password-file"

Some of the ausearch commands,

ausearch -a audit_event_id : Run this search to view all records carrying a particular audit event ID. Each audit event message is logged along with a message ID consisting of a UNIX epoch time stamp plus a unique event ID separated by a colon.

ausearch -ul login_id : Run this search to view records associated with a particular login user ID.

ausearch -k key:Run this search to find records that contain a certain key assigned in the audit rule set. For example, use ausearch -k CFG_etc to display any records containing
the CFG_etc key

ausearch -m message_type:Run this search to find records related to a particular
message type

ausearch -f filename:Run this search to find records containing a certain filename. For example, run ausearch -f /foo/bar for.all records related to the /foo/bar file

ausearch -p process_id:Run this to search for records related to a certain process
ID. For example, use ausearch -p 13368 to search for all records related to this process ID.

Happy Learning, More To Come