System auditing with auditd
System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.
One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files.
By default, there are no rules that are configured. We need to write our rules in the /etc/audit/audit.rules configuration file that will be read and the corresponding audit actions will be applied.
Now that we somewhat understand what auditd is about, let’s go ahead and get working with auditd with the preceding use case:
1. Install the auditd packages. The auditd packages are a part of the default installation CentOS 7 systems. We can verify it with the following command:
# rpm -qa | grep audit audit-libs-2.6.5-3.el7_3.1.x86_64 audit-2.6.5-3.el7_3.1.x86_64 audit-libs-python-2.6.5-3.el7_3.1.x86_64
2. If the package is not a part of our system, we can go ahead and install it:
# yum install audit
3. Make sure that the audit daemon is running. We will use the following command:
# systemctl status auditd auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-10-24 04:33:48 UTC; 4min 21s ago Docs: man:auditd(8) https://people.redhat.com/sgrubb/audit/ Process: 425 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Main PID: 424 (auditd) CGroup: /system.slice/auditd.service └─424 /sbin/auditd -n
Since we have an audit daemon up and running, lets see how we can use auditd to achieve all 4 of the use cases.
Auditd Rules for Copy, move, delete and kill Commands
1. Take a backup of the existing configuration file (auditd rules):
# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp
2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent:
# vi /etc/audit/audit.rules # Audit Copy, Move, Delete & Create file commands -a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy -a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename -a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete -a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File # Audit shutdown & Reboot command -a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot -a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot -a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot -a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot # Audit mount unmount commands -a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device -a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device # Kill Process -a exit,always -F arch=b64 -S kill -k Kill_Process
3. Restart the auditd service to apply the changes.
# service auditd restart
4. List the added rules, to verify these are correct:
# auditctl -l