• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Audit rules for monitoring Copy, move, delete and kill Commands In Linux

by admin

System auditing with auditd

System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.

One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files.

By default, there are no rules that are configured. We need to write our rules in the /etc/audit/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Installing Auditd

Now that we somewhat understand what auditd is about, let’s go ahead and get working with auditd with the preceding use case:

1. Install the auditd packages. The auditd packages are a part of the default installation CentOS 7 systems. We can verify it with the following command:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64
audit-libs-python-2.6.5-3.el7_3.1.x86_64

2. If the package is not a part of our system, we can go ahead and install it:

# yum install audit

3. Make sure that the audit daemon is running. We will use the following command:

# systemctl status auditd
 auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
 vendor preset: enabled)
    Active: active (running) since Wed 2018-10-24 04:33:48 UTC; 4min
 21s ago
    Docs: man:auditd(8)
          https://people.redhat.com/sgrubb/audit/
    Process: 425 ExecStartPost=/sbin/augenrules --load (code=exited,
  status=0/SUCCESS)
 Main PID: 424 (auditd)
     CGroup: /system.slice/auditd.service
            └─424 /sbin/auditd -n

Since we have an audit daemon up and running, lets see how we can use auditd to achieve all 4 of the use cases.

Auditd Rules for Copy, move, delete and kill Commands

1. Take a backup of the existing configuration file (auditd rules):

# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp

2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent:

# vi /etc/audit/audit.rules
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File

# Audit shutdown & Reboot command
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot

# Audit mount unmount commands
-a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device
-a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device

# Kill Process
-a exit,always -F arch=b64 -S kill -k Kill_Process

3. Restart the auditd service to apply the changes.

# service auditd restart

4. List the added rules, to verify these are correct:

# auditctl -l
Note: bash (and many other shells) has a built-in “kill” command which doesn’t actually run /usr/bin/kill. So if the built-in command is run instead, comm=bash is correct. There is no way to force the system to use the /usr/bin/kill external program. comm=kill is not going to happen in all cases, because shells can call the syscall directly without running the external program named “kill”

Filed Under: Linux

Some more articles you might also be interested in …

  1. pihole Command Examples in Linux
  2. datamash: command not found
  3. debugfs Command Examples in Linux
  4. nping: command not found
  5. hwclock Command Examples in Linux
  6. How to Compress and Extract Files and Directories in Linux Using gzip and bzip2
  7. dunstify: command not found
  8. How to Add or Remove Ports when firewalld is Disabled
  9. lspcmcia Command Examples in Linux
  10. How to allow or deny telnet login to specific users only in CentOS/RHEL

You May Also Like

Primary Sidebar

Recent Posts

  • aws ec2: CLI for AWS EC2 (Command Examples)
  • aws cur – Create, query, and delete AWS usage report definitions (Command Examples)
  • aws configure – Manage configuration for the AWS CLI (Command Examples)
  • aws cognito-idp: Manage Amazon Cognito user pool and its users and groups using the CLI

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright