System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. Most system administrators might be aware of basic auditing functionalities such as looking into /var/log/secure file for login attempts, but when it comes to low-level auditing, this is where the work needs to be done.
Some of the cases when system auditing helps are:
- Watching for file access: We want to have a report on which files or directories within your server have been accessed or modified and at what time and by which user. This is an important aspect specifically if we want to detect the access to important files within our servers or want to find out who did the change that impacted the production environment.
- Monitoring system calls: Every command that we type in the back makes a system call to the kernel.
Monitoring /etc/shadow and /etc/passwd for changes
1. To monitor the files /etc/shadow and /etc/passwd, add below 2 rules into the auditd rules file /etc/audit/rules.d/audit.rule.
# vi /etc/audit/rules.d/audit.rule -w /etc/shadow -p wa -k shadow -w /etc/passwd -p wa -k passwd
The command above represents the following:
-w path-to-file -p permissions -k keyname
where the permission are any one of the following:
r – read of the file
w – write to the file
x – execute the file
a – change in the file’s attribute (ownership/permissions)
2. Restart the auditd service after defining the above 2 rules.
# service auditd restart
3. Use the “auditctl -l” command to verify the rules you have set.
# auditctl -l -w /etc/shadow -p wa -k shadow -w /etc/passwd -p wa -k passwd
Verify
The log file /var/log/audit/audit.log logs all the auditd related log messages. You can check this log file to see if the shadow and passwd files are changed by someone. This file can be long and system can generate a lot of logs in this file. To filter out the rules we are interested in, we can use the “ausearch” command with the key we specified while defining the rules. For example:
# ausearch -k shadow ---- time->Sat Jun 16 06:23:07 2018 type=PROCTITLE msg=audit(1529130187.897:595): proctitle=7061737377640074657374 type=PATH msg=audit(1529130187.897:595): item=4 name="/etc/shadow" inode=551699 dev=ca:01 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130187.897:595): item=3 name="/etc/shadow" inode=636309 dev=ca:01 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130187.897:595): item=2 name="/etc/nshadow" inode=551699 dev=ca:01 mode=0100664 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130187.897:595): item=1 name="/etc/" inode=132 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130187.897:595): item=0 name="/etc/" inode=132 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1529130187.897:595): cwd="/root" type=SYSCALL msg=audit(1529130187.897:595): arch=c000003e syscall=82 success=yes exit=0 a0=7f443258a332 a1=7f443258a2bc a2=7f443a3517b8 a3=0 items=5 ppid=4320 pid=4486 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key="shadow"
Similarly, for the /etc/passwd file, we can filter out the logs using:
# ausearch -k passwd time->Sat Jun 16 06:22:56 2018 type=PROCTITLE msg=audit(1529130176.633:589): proctitle=757365726164640074657374 type=PATH msg=audit(1529130176.633:589): item=4 name="/etc/passwd" inode=638208 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130176.633:589): item=3 name="/etc/passwd" inode=636309 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130176.633:589): item=2 name="/etc/passwd+" inode=638208 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130176.633:589): item=1 name="/etc/" inode=132 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529130176.633:589): item=0 name="/etc/" inode=132 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1529130176.633:589): cwd="/root" type=SYSCALL msg=audit(1529130176.633:589): arch=c000003e syscall=82 success=yes exit=0 a0=7ffc0729ae70 a1=55f815c79ce0 a2=7ffc0729ade0 a3=55f815ce21a0 items=5 ppid=4320 pid=4481 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="passwd"