The audit package ties into the Linux kernel audit subsystem. The audit system audits system calls and other kernel level events, not user-space events, so we need to audit the execve() system call which is what starts executing new programs. For the example in this post, we have taken the CentOS/RHEL system, but the steps remain more or less the same for other *NIX distributions as well.
For CentOS/RHEL 7
Apply audit rules into the system
1. To keep the rules persistent after reboot or service restart, add the following rules to file /etc/audit/rules.d/audit.rules:
# vi /etc/audit/rules.d/audit.rules -a exit,always -F arch=b32 -S execve -k auditcmd -a exit,always -F arch=b64 -S execve -k auditcmd
2. Run “augenrules” command to recreate /etc/audit/audit.rules from all configuration files in /etc/audit/rules.d/audit.rules and restart auditd.
3. If you only want to apply the rules temporarily, run following commands as root:
# auditctl -a exit,always -F arch=b32 -S execve -k auditcmd # auditctl -a exit,always -F arch=b64 -S execve -k auditcmd
Verify Current rules
To verify the current rules, run:
# auditctl -l
Verify audit logs
To verify audit logs for a specific keyword, run:
# ausearch -k auditcmd
For CentOS/RHEL 6
To log all commands
1. First, auditd needs to be running. It should be running by default, but if it’s not, start it with:
# chkconfig auditd on # service auditd start
2. If it is a 64 bit architecture then you need to add two rules to catch both 32-bit and 64-bit system calls. As root, run:
# auditctl -a exit,always -F arch=b32 -S execve # auditctl -a exit,always -F arch=b64 -S execve
3. Run ls /tmp, these 3 events appears in /var/log/audit/audit.log. Lines are wrapped to make it easier to read here, but it’s normally a single long line in the real file.
# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1296773801.756:35241): arch=c000003e syscall=59
success=yes exit=0 a0=cf2d10 a1=9da530 a2=cd4e20 a3=8 items=2
ppid=4146 pid=11827 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts7
ses=3 comm="ls" exe="/bin/ls"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1296773801.756:35241): argc=3 a0="ls"
a1="--color=auto" a2="/tmp" type=CWD msg=audit(1296773801.756:35241):
cwd="/home/username"
type=PATH msg=audit(1296773801.756:35241): item=0 name="/bin/ls"
inode=14418043 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bin_t:s0 type=PATH
msg=audit(1296773801.756:35241): item=1 name=(null) inode=20447259
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0
The audit logs are quite verbose, but they contain the full command, including the fact that ls was aliased by the shell to ls –color=auto. The first number in parentheses is a timestamp in seconds after the epoch. This can be converted to a human-readable time with Perl:
$ perl -e 'print scalar(localtime(1296773801.756)) . "\n";' Thu Feb 3 16:56:41 2011
The exit=0 in the SYSCALL line above is regarding the execve() system call, not the overall program.
To log all commands for specific user
1. Start auditd service:
# chkconfig auditd on # service auditd start
2. Add audit rule:
For 64-bit architecture:
# auditctl -a exit,always -F arch=b64 -F uid=500 -S execve -k auditcmd
For 32-bit architecture:
# auditctl -a exit,always -F arch=b32 -F uid=500 -S execve -k auditcmd
Here, uid is of the user for whom auditing is enabled of all commands. Run the auditctl command as root user to add the rules.
3. Verify the logs are being generated by checking /var/log/audit/audit.log file. Once user starts executing commands the logs will appear as below:
# tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1393407885.099:8614): arch=c000003e syscall=59 success=yes exit=0 a0=158c9b0 a1=1588f10 a2=15a7ae0 a3=18 items=2 ppid=3123 pid=3307 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=EXECVE msg=audit(1393407885.099:8614): argc=2 a0="ls" a1="--color=auto" type=CWD msg=audit(1393407885.099:8614): cwd="/home/sadaf" type=PATH msg=audit(1393407885.099:8614): item=0 name="/bin/ls" inode=408600 dev=fc:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(1393407885.099:8614): item=1 name=(null) inode=429303 dev=fc:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=SYSCALL msg=audit(1393407910.242:8615): arch=c000003e syscall=59 success=yes exit=0 a0=15971e0 a1=158c9b0 a2=15a7ae0 a3=18 items=2 ppid=3123 pid=3310 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="rmdir" exe="/bin/rmdir" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=EXECVE msg=audit(1393407910.242:8615): argc=2 a0="rmdir" a1="data"
How to use auditd to monitor a specific SYSCALL
How to monitor the Mounting/Umounting of Mount Points Using Auditd on CentOS/RHEL 6,7
How to monitor time changes using auditd in CentOS/RHEL
Audit rules for monitoring Copy, move, delete and kill Commands In Linux