Audit_system
Chapter 35: Linux Audit System
Section titled “Chapter 35: Linux Audit System”Comprehensive Guide to auditd
Section titled “Comprehensive Guide to auditd”34.1 Understanding Linux Audit
Section titled “34.1 Understanding Linux Audit”What is auditd?
Section titled “What is auditd?”The Linux Audit system provides a framework for security auditing. It can track system events, file access, and user actions for compliance and security monitoring.
Audit System Components+------------------------------------------------------------------+| || Components: || +----------------------------------------------------------+ || | auditd | Daemon that records audit events | || | auditctl | Command to control audit rules | || | ausearch | Search audit logs | || | aureport | Generate audit reports | || | autrace | Trace system calls | || | augenrules| Generate rules from /etc/audit/rules.d/ | || +----------------------------------------------------------+ || || Log Location: /var/log/audit/audit.log || |+------------------------------------------------------------------+34.2 Installation and Configuration
Section titled “34.2 Installation and Configuration”# Installsudo apt install auditd # Debian/Ubuntusudo yum install audit # RHEL/CentOSsudo pacman -S audit # Arch
# Start servicesudo systemctl enable --now auditd
# Configuration# /etc/audit/auditd.conf# /etc/audit/audit.rules# /etc/audit/rules.d/*.rules34.3 Audit Rules
Section titled “34.3 Audit Rules”File Monitoring
Section titled “File Monitoring”# Monitor password files-w /etc/passwd -p wa -k password_file-w /etc/shadow -p wa -k shadow_file-w /etc/group -p wa -k group_file
# Monitor SSH-w /etc/ssh/sshd_config -p wa -k sshd_config-w /etc/ssh/ssh_config -p wa -k ssh_config
# Monitor sudo-w /etc/sudoers -p wa -k sudoers-w /etc/sudoers.d/ -p wa -k sudoers_d
# Monitor system binaries-w /usr/bin/sudo -p x -k sudo-w /usr/bin/passwd -p x -k passwd-w /usr/bin/su -p x -k su
# Monitor cron-w /etc/cron.allow -p wa -k cron_allow-w /etc/at.allow -p wa -k at_allow
# Monitor logs-w /var/log/secure -p wa -k secure_log-w /var/log/messages -p wa -k messages_logSystem Call Monitoring
Section titled “System Call Monitoring”# Monitor execve calls-a always,exit -F arch=b64 -S execve -F path=/usr/bin/curl -k exec_curl-a always,exit -F arch=b64 -S execve -F path=/usr/bin/wget -k exec_wget
# Monitor file deletions-a always,exit -F arch=b64 -S unlink -S unlinkat -k file_delete
# Monitor network connections-a always,exit -F arch=b64 -S connect -k network_connect
# Monitor mount-a always,exit -F arch=b64 -S mount -k mount
# Monitor chmod-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k chmodUser Monitoring
Section titled “User Monitoring”# Monitor user sessions-w /var/run/utmp -p wa -k user_session-w /var/log/btmp -p wa -k failed_login-w /var/log/wtmp -p wa -k login_log
# Monitor pam-w /etc/pam.d/ -p wa -k pam
# Monitor shell config-w /etc/profile -p wa -k profile-w ~/.bashrc -p wa -k bashrc-w ~/.bash_profile -p wa -k bash_profileLoading Rules
Section titled “Loading Rules”# Reload rulessudo auditctl -R /etc/audit/rules.d/security.rules
# Or use augenrulessudo augenrules --load
# Check current rulessudo auditctl -l
# Check rules (verbose)sudo auditctl -s34.4 Log Analysis
Section titled “34.4 Log Analysis”ausearch
Section titled “ausearch”# Search recent eventsausearch -ts recentausearch -ts todayausearch -ts yesterday
# Search by keyausearch -k password_fileausearch -k sshd_config
# Search by userausearch -uid 1000ausearch -username root
# Search by syscallausearch -sc execveausearch -sc connect
# Search by fileausearch -f /etc/passwd
# Search failed eventsausearch -sc exit -sv no
# Combine optionsausearch -k password_file -ts recent -i
# Export to JSONausearch -k password_file --format jsonaureport
Section titled “aureport”# Summaryaureport --summary
# Eventsaureport --event
# Filesaureport --file
# Usersaureport --user
# Failed eventsaureport --failed
# Executablesaureport --executable
# Login/logoutaureport --login
# Generate reportaureport -te "Today" > /tmp/audit_report.txt34.5 Real-time Monitoring
Section titled “34.5 Real-time Monitoring”aureport with watch
Section titled “aureport with watch”# Live monitoringaureport --tty -i | grep -E "root|admin"
# Using ausearch in loopwhile true; do ausearch -k sudo -ts recent | tail -5 sleep 10done
# Using auditd with prttysudo auditctl -w /etc/passwd -p wa -k password_filesudo autrace /bin/bash34.6 Interview Questions
Section titled “34.6 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is the Linux Audit system?
- Framework for security event auditing
-
What is auditd?
- Daemon that records audit events
-
What do the audit rules -w and -p flags mean?
- -w = watch file, -p = permissions (rwx)
-
What is the audit log location?
- /var/log/audit/audit.log
-
What does -k mean in audit rules?
- Key for searching logs
Summary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Commands: || +----------------------------------------------------------+ || | sudo auditctl -l | List rules | || | sudo auditctl -R | Reload rules | || | ausearch -k key | Search by key | || | aureport --summary | Summary report | || +----------------------------------------------------------+ || || Rule Flags: || +----------------------------------------------------------+ || | -w | Watch file or directory | || | -p | Permissions to watch (rwx) | || | -k | Key for searching | || | -a | Append rule | || | -S | Syscall | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+