Linux Audit System
Chapter 35: Linux Audit System
Section titled “Chapter 35: Linux Audit System”Comprehensive Guide to auditd
Section titled “Comprehensive Guide to auditd”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Audit logging is required for compliance and security investigations:
auditd for DevOps/SRE+------------------------------------------------------------------+| || Compliance: || +----------------------------------------------------------+ || | PCI-DSS → Track all access to cardholder data | || | HIPAA → Audit access to PHI | || | SOX → Audit financial data access | || | SOC 2 → Audit trail for all system access | || +----------------------------------------------------------+ || || Security Forensics: || +----------------------------------------------------------+ || | Who accessed what → Individual accountability | || | When → Timestamp of all actions | || | How → Command that was executed | || | Evidence → For incident investigations | || +----------------------------------------------------------+ || || Real-time Monitoring: || +----------------------------------------------------------+ || | aureport → Real-time reporting | || | ausearch → Query specific events | || | watchers → Automated alerting on suspicious activity | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Practical Impact:
- Meet compliance requirements (PCI-DSS, HIPAA, SOC 2)
- Investigate security incidents with evidence
- Monitor privileged command usage
- Detect insider threats
35.1 Understanding Linux Audit
Section titled “35.1 Understanding Linux Audit”What is auditd?
Section titled “What is auditd?”The Linux Audit system provides a framework for security auditing. It can track system events, file access, and user actions for compliance and security monitoring.
Audit System Components+------------------------------------------------------------------+| || Components: || +----------------------------------------------------------+ || | auditd | Daemon that records audit events | || | auditctl | Command to control audit rules | || | ausearch | Search audit logs | || | aureport | Generate audit reports | || | autrace | Trace system calls | || | augenrules| Generate rules from /etc/audit/rules.d/ | || +----------------------------------------------------------+ || || Log Location: /var/log/audit/audit.log || |+------------------------------------------------------------------+35.2 Installation and Configuration
Section titled “35.2 Installation and Configuration”# Installsudo apt install auditd # Debian/Ubuntusudo yum install audit # RHEL/CentOSsudo pacman -S audit # Arch
# Start servicesudo systemctl enable --now auditd
# Configuration# /etc/audit/auditd.conf# /etc/audit/audit.rules# /etc/audit/rules.d/*.rules35.3 Audit Rules
Section titled “35.3 Audit Rules”File Monitoring
Section titled “File Monitoring”# Monitor password files-w /etc/passwd -p wa -k password_file-w /etc/shadow -p wa -k shadow_file-w /etc/group -p wa -k group_file
# Monitor SSH-w /etc/ssh/sshd_config -p wa -k sshd_config-w /etc/ssh/ssh_config -p wa -k ssh_config
# Monitor sudo-w /etc/sudoers -p wa -k sudoers-w /etc/sudoers.d/ -p wa -k sudoers_d
# Monitor system binaries-w /usr/bin/sudo -p x -k sudo-w /usr/bin/passwd -p x -k passwd-w /usr/bin/su -p x -k su
# Monitor cron-w /etc/cron.allow -p wa -k cron_allow-w /etc/at.allow -p wa -k at_allow
# Monitor logs-w /var/log/secure -p wa -k secure_log-w /var/log/messages -p wa -k messages_logSystem Call Monitoring
Section titled “System Call Monitoring”# Monitor execve calls-a always,exit -F arch=b64 -S execve -F path=/usr/bin/curl -k exec_curl-a always,exit -F arch=b64 -S execve -F path=/usr/bin/wget -k exec_wget
# Monitor file deletions-a always,exit -F arch=b64 -S unlink -S unlinkat -k file_delete
# Monitor network connections-a always,exit -F arch=b64 -S connect -k network_connect
# Monitor mount-a always,exit -F arch=b64 -S mount -k mount
# Monitor chmod-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k chmodUser Monitoring
Section titled “User Monitoring”# Monitor user sessions-w /var/run/utmp -p wa -k user_session-w /var/log/btmp -p wa -k failed_login-w /var/log/wtmp -p wa -k login_log
# Monitor pam-w /etc/pam.d/ -p wa -k pam
# Monitor shell config-w /etc/profile -p wa -k profile-w ~/.bashrc -p wa -k bashrc-w ~/.bash_profile -p wa -k bash_profileLoading Rules
Section titled “Loading Rules”# Reload rulessudo auditctl -R /etc/audit/rules.d/security.rules
# Or use augenrulessudo augenrules --load
# Check current rulessudo auditctl -l
# Check rules (verbose)sudo auditctl -s35.4 Log Analysis
Section titled “35.4 Log Analysis”ausearch
Section titled “ausearch”# Search recent eventsausearch -ts recentausearch -ts todayausearch -ts yesterday
# Search by keyausearch -k password_fileausearch -k sshd_config
# Search by userausearch -uid 1000ausearch -username root
# Search by syscallausearch -sc execveausearch -sc connect
# Search by fileausearch -f /etc/passwd
# Search failed eventsausearch -sc exit -sv no
# Combine optionsausearch -k password_file -ts recent -i
# Export to JSONausearch -k password_file --format jsonaureport
Section titled “aureport”# Summaryaureport --summary
# Eventsaureport --event
# Filesaureport --file
# Usersaureport --user
# Failed eventsaureport --failed
# Executablesaureport --executable
# Login/logoutaureport --login
# Generate reportaureport -te "Today" > /tmp/audit_report.txt35.5 Real-time Monitoring
Section titled “35.5 Real-time Monitoring”aureport with watch
Section titled “aureport with watch”# Live monitoringaureport --tty -i | grep -E "root|admin"
# Using ausearch in loopwhile true; do ausearch -k sudo -ts recent | tail -5 sleep 10done
# Using auditd with prttysudo auditctl -w /etc/passwd -p wa -k password_filesudo autrace /bin/bash35.6 Interview Questions
Section titled “35.6 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is the Linux Audit system?
- Framework for security event auditing
-
What is auditd?
- Daemon that records audit events
-
What do the audit rules -w and -p flags mean?
- -w = watch file, -p = permissions (rwx)
-
What is the audit log location?
- /var/log/audit/audit.log
-
What does -k mean in audit rules?
- Key for searching logs
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Not Configuring Audit Rules
Section titled “1. Not Configuring Audit Rules”# ❌ WRONG: Running auditd without custom rules# Default rules don't track important files!
# ✅ CORRECT: Add essential audit rules# /etc/audit/rules.d/security.rules-w /etc/passwd -p wa -k passwd_modify-w /etc/shadow -p wa -k shadow_modify-w /etc/sudoers -p wa -k sudoers_modify-w /usr/bin/sudo -p x -k sudo_exec-a always,exit -F arch=b64 -S execve -F path=/usr/bin/wget -k wget_exec2. Ignoring Audit Log Rotation
Section titled “2. Ignoring Audit Log Rotation”# ❌ WRONG: Not configuring log rotation# Disk fills up, auditd stops!
# ✅ CORORD: Configure proper rotation# /etc/audit/auditd.confmax_log_file = 50max_log_file_action = ROTATEnum_logs = 53. Not Searching Audit Logs
Section titled “3. Not Searching Audit Logs”# ❌ WRONG: Only looking at logs when breached# Should regularly review for anomalies
# ✅ CORRECT: Regular log reviewaureport --start this-week# Find failed sudo attemptsausearch -k sudo_exec -sv no# Find file modificationsausearch -k passwd_modify4. Overly Verbose Rules
Section titled “4. Overly Verbose Rules”# ❌ WRONG: Auditing too much-w / -p wa # Logs EVERYTHING!# System becomes extremely slow!
# ✅ CORRECT: Audit specific sensitive files only-w /etc/passwd -p wa-w /etc/shadow -p wa-w /etc/sudoers -p wa-w /var/log/ -p waSummary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Commands: || +----------------------------------------------------------+ || | sudo auditctl -l | List rules | || | sudo auditctl -R | Reload rules | || | ausearch -k key | Search by key | || | aureport --summary | Summary report | || +----------------------------------------------------------+ || || Rule Flags: || +----------------------------------------------------------+ || | -w | Watch file or directory | || | -p | Permissions to watch (rwx) | || | -k | Key for searching | || | -a | Append rule | || | -S | Syscall | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+