• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Audit rules for monitoring Copy, move, delete and kill Commands In Linux

By admin

System auditing with auditd

System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.

One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files.

By default, there are no rules that are configured. We need to write our rules in the /etc/audit/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Installing Auditd

Now that we somewhat understand what auditd is about, let’s go ahead and get working with auditd with the preceding use case:

1. Install the auditd packages. The auditd packages are a part of the default installation CentOS 7 systems. We can verify it with the following command:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64
audit-libs-python-2.6.5-3.el7_3.1.x86_64

2. If the package is not a part of our system, we can go ahead and install it:

# yum install audit

3. Make sure that the audit daemon is running. We will use the following command:

# systemctl status auditd
 auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
 vendor preset: enabled)
    Active: active (running) since Wed 2018-10-24 04:33:48 UTC; 4min
 21s ago
    Docs: man:auditd(8)
          https://people.redhat.com/sgrubb/audit/
    Process: 425 ExecStartPost=/sbin/augenrules --load (code=exited,
  status=0/SUCCESS)
 Main PID: 424 (auditd)
     CGroup: /system.slice/auditd.service
            └─424 /sbin/auditd -n

Since we have an audit daemon up and running, lets see how we can use auditd to achieve all 4 of the use cases.

Auditd Rules for Copy, move, delete and kill Commands

1. Take a backup of the existing configuration file (auditd rules):

# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp

2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent:

# vi /etc/audit/audit.rules
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File

# Audit shutdown & Reboot command
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot

# Audit mount unmount commands
-a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device
-a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device

# Kill Process
-a exit,always -F arch=b64 -S kill -k Kill_Process

3. Restart the auditd service to apply the changes.

# service auditd restart

4. List the added rules, to verify these are correct:

# auditctl -l
Note: bash (and many other shells) has a built-in “kill” command which doesn’t actually run /usr/bin/kill. So if the built-in command is run instead, comm=bash is correct. There is no way to force the system to use the /usr/bin/kill external program. comm=kill is not going to happen in all cases, because shells can call the syscall directly without running the external program named “kill”

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL : How to delete a volume group in LVM
  2. How to Resize / Expand a Btrfs Volume / Filesystem
  3. How to modify the iSCSI initiator ID in Linux
  4. ‘nestat -s’ showing a large number for “packet reassembles failed” errors in CentOS/RHEL
  5. Understanding /etc/hosts file in Linux
  6. How systemd-tmpfiles cleans up /tmp/ or /var/tmp (replacement of tmpwatch) in CentOS / RHEL 7
  7. OpenLDAP Server and Client Utilities list
  8. How to set nproc (Hard and Soft) Values in CentOS / RHEL 5,6,7
  9. Understanding dm-Multipath Identifiers in Linux
  10. lvcreate/lvremove Failed with Error “Can’t remove merging snapshot logical volume”

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary