Difference between revisions of "(RHEL) HOWTO configure the auditing of the system (auditd)"

From DGZWiki
Jump to: navigation, search
m (updated title levels)
m (added usage of templates)
 
Line 20: Line 20:
 
==Install the audit package==
 
==Install the audit package==
 
The '''audit''' package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. Use [[yum]] to install the package:
 
The '''audit''' package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. Use [[yum]] to install the package:
 +
{{Box Command|installing the audit service|
 
<pre>
 
<pre>
 
# yum install audit
 
# yum install audit
 
</pre>
 
</pre>
 +
}}
  
 
==Enable the auditd Service==
 
==Enable the auditd Service==
 
Then to start automatically the '''auditd''' service at boot time, use the following command:
 
Then to start automatically the '''auditd''' service at boot time, use the following command:
 +
{{Box Command|autostarting the audit service|
 
<pre>
 
<pre>
 
# chkconfig auditd on
 
# chkconfig auditd on
 
</pre>
 
</pre>
 +
}}
  
 
By default, '''auditd''' logs only:
 
By default, '''auditd''' logs only:
Line 41: Line 45:
 
===Amount of data to retain===
 
===Amount of data to retain===
 
First of all is to determine the amount of audit data (in '''megabytes''') that will be retained in each log file. Then edit the file '''/etc/audit/auditd.conf''':
 
First of all is to determine the amount of audit data (in '''megabytes''') that will be retained in each log file. Then edit the file '''/etc/audit/auditd.conf''':
 +
{{Box Command|editing /etc/audit/auditd.conf|
 
<pre>
 
<pre>
 
# vi /etc/audit/auditd.conf
 
# vi /etc/audit/auditd.conf
 
</pre>
 
</pre>
 +
}}
  
 
Add or modify the following line (where ''SIZE'' is the chosen amount of audit data in megabytes):
 
Add or modify the following line (where ''SIZE'' is the chosen amount of audit data in megabytes):
 +
{{Box Config|/etc/audit/auditd.conf|
 
<pre>
 
<pre>
 +
...
 
max_log_file = SIZE
 
max_log_file = SIZE
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Dedicated partition===
 
===Dedicated partition===
Line 54: Line 64:
  
 
One the file system is created, add the following line into '''/etc/fstab''' (modify it to fit the system configuration):
 
One the file system is created, add the following line into '''/etc/fstab''' (modify it to fit the system configuration):
 +
 +
{{Box Config|/etc/fstab|
 
<pre>
 
<pre>
 
...
 
...
Line 59: Line 71:
 
...
 
...
 
</pre>
 
</pre>
 +
}}
  
 
Mount the file system using the following command:
 
Mount the file system using the following command:
 +
{{Box Command|mounting /var/log/audit|
 
<pre>
 
<pre>
 
# mount /var/log/audit
 
# mount /var/log/audit
 
</pre>
 
</pre>
 +
}}
  
 
===Avoid the loose of audit data===
 
===Avoid the loose of audit data===
Line 69: Line 84:
  
 
Edit '''/etc/audit/auditd.conf''':
 
Edit '''/etc/audit/auditd.conf''':
 +
{{Box Command|editing /etc/audit/auditd.conf|
 
<pre>
 
<pre>
 
# vi /etc/audit/auditd.conf
 
# vi /etc/audit/auditd.conf
 
</pre>
 
</pre>
 +
}}
  
 
Add or modify the following lines:
 
Add or modify the following lines:
 +
{{Box Config|/etc/audit/auditd.conf|
 
<pre>
 
<pre>
 +
...
 
space_left_action = email
 
space_left_action = email
 
action_mail_acct = root
 
action_mail_acct = root
 
admin_space_left_action = halt
 
admin_space_left_action = halt
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
The default action to take when the logs reach their maximum size is to rotate them, deleting the oldest one. If it is more important to retain all possible auditing information, even if it opens the possibility of filling completely the file system and taking the action defined by '''admin_space_left_action''', add or modify the line:
 
The default action to take when the logs reach their maximum size is to rotate them, deleting the oldest one. If it is more important to retain all possible auditing information, even if it opens the possibility of filling completely the file system and taking the action defined by '''admin_space_left_action''', add or modify the line:
 +
{{Box Config|/etc/audit/auditd.conf|
 
<pre>
 
<pre>
 +
...
 
max_log_file_action = keep_logs
 
max_log_file_action = keep_logs
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
==Enable auditing for processes starting before the auditd service==
 
==Enable auditing for processes starting before the auditd service==
Line 89: Line 114:
  
 
To ensure that all processes can be audited, add the argument ''audit=1'' to the kernel line in '''/etc/grub.conf''':
 
To ensure that all processes can be audited, add the argument ''audit=1'' to the kernel line in '''/etc/grub.conf''':
 +
{{Box Config|/etc/grub.conf|
 
<pre>
 
<pre>
 +
...
 
kernel /vmlinuz-VERSION ro vga=ext root=/dev/vg/root rhgb quiet audit=1
 
kernel /vmlinuz-VERSION ro vga=ext root=/dev/vg/root rhgb quiet audit=1
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
==Configure comprehensive auditing rules==
 
==Configure comprehensive auditing rules==
Line 104: Line 133:
  
 
Recommended audit rules are provided in the template '''/usr/share/doc/audit-VERSION/stig.rules'''. To activate those rules copy them to auditd configuration directory:
 
Recommended audit rules are provided in the template '''/usr/share/doc/audit-VERSION/stig.rules'''. To activate those rules copy them to auditd configuration directory:
 +
{{Box Command|copying recommended audit rules|
 
<pre>
 
<pre>
 
# cp /usr/share/doc/audit-VERSION/stig.rules /etc/audit/audit.rules
 
# cp /usr/share/doc/audit-VERSION/stig.rules /etc/audit/audit.rules
 
</pre>
 
</pre>
 +
}}
  
 
Then edit '''/etc/audit/audit.rules''' and comment out the lines containing ''arch='' which are not appropriate. Then review the other rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, activate them using the following command:
 
Then edit '''/etc/audit/audit.rules''' and comment out the lines containing ''arch='' which are not appropriate. Then review the other rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, activate them using the following command:
 +
{{Box Command|restarting the auditd service|
 
<pre>
 
<pre>
 
# service auditd restart
 
# service auditd restart
 
</pre>
 
</pre>
 +
}}
  
 
===Records events that modify time information===
 
===Records events that modify time information===
 
Add the following lines to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
Add the following lines to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
 
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
 
-a always,exit -F arch=ARCH -S clock_settime -k time-change
 
-a always,exit -F arch=ARCH -S clock_settime -k time-change
 
-w /etc/localtime -p wa -k time-change
 
-w /etc/localtime -p wa -k time-change
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record events that modify account information===
 
===Record events that modify account information===
 
Add the following to '''/etc/audit/audit.rules''' to audit events that modify account changes:
 
Add the following to '''/etc/audit/audit.rules''' to audit events that modify account changes:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /etc/group -p wa -k identity
 
-w /etc/group -p wa -k identity
 
-w /etc/passwd -p wa -k identity
 
-w /etc/passwd -p wa -k identity
Line 129: Line 168:
 
-w /etc/shadow -p wa -k identity
 
-w /etc/shadow -p wa -k identity
 
-w /etc/security/opasswd -p wa -k identity
 
-w /etc/security/opasswd -p wa -k identity
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record events that modify the network configuration===
 
===Record events that modify the network configuration===
 
Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
 
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
 
-w /etc/issue -p wa -k system-locale
 
-w /etc/issue -p wa -k system-locale
Line 139: Line 182:
 
-w /etc/hosts -p wa -k system-locale
 
-w /etc/hosts -p wa -k system-locale
 
-w /etc/sysconfig/network -p wa -k system-locale
 
-w /etc/sysconfig/network -p wa -k system-locale
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record events that modify the SElinux configuration===
 
===Record events that modify the SElinux configuration===
 
Add the following to '''/etc/audit/audit.rules''':
 
Add the following to '''/etc/audit/audit.rules''':
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /etc/selinux/ -p wa -k MAC-policy
 
-w /etc/selinux/ -p wa -k MAC-policy
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record logon and logout Events===
 
===Record logon and logout Events===
 
The audit system should collect login info for all users and root. Add the following to '''/etc/audit/audit.rules''':
 
The audit system should collect login info for all users and root. Add the following to '''/etc/audit/audit.rules''':
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /var/log/faillog -p wa -k logins
 
-w /var/log/faillog -p wa -k logins
 
-w /var/log/lastlog -p wa -k logins
 
-w /var/log/lastlog -p wa -k logins
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record process and session initiation information===
 
===Record process and session initiation information===
 
The audit system should collect process information for all users and root. Add the following to '''/etc/audit/audit.rules''':
 
The audit system should collect process information for all users and root. Add the following to '''/etc/audit/audit.rules''':
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /var/run/utmp -p wa -k session
 
-w /var/run/utmp -p wa -k session
 
-w /var/log/btmp -p wa -k session
 
-w /var/log/btmp -p wa -k session
 
-w /var/log/wtmp -p wa -k session
 
-w /var/log/wtmp -p wa -k session
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record discretionary access control permission modification events===
 
===Record discretionary access control permission modification events===
 
The audit system should collect file permission changes for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
The audit system should collect file permission changes for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
 
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
 
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
 
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
 
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
 
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record unauthorized access attempts to files (unsuccessful)===
 
===Record unauthorized access attempts to files (unsuccessful)===
 
The audit system should collect unauthorized file accesses for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
The audit system should collect unauthorized file accesses for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
 
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
 
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
 
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
 
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
 
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
 
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
 
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record the use of privileged commands===
 
===Record the use of privileged commands===
Line 183: Line 248:
  
 
Run the following command for each local file system to generate rules, one for each '''setuid''' or '''setgid''' program:
 
Run the following command for each local file system to generate rules, one for each '''setuid''' or '''setgid''' program:
 +
{{Box Command|finding files with setuid or setgid|
 
<pre>
 
<pre>
 
# find FS -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
 
# find FS -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
 
</pre>
 
</pre>
 +
}}
  
 
Next, add those lines to '''/etc/audit/audit.rules'''.
 
Next, add those lines to '''/etc/audit/audit.rules'''.
Line 191: Line 258:
 
===Record information on exporting to Media (successful)===
 
===Record information on exporting to Media (successful)===
 
The audit system should collect media exportation events for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
The audit system should collect media exportation events for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
 
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record files deletion events by User (successful and unsuccessful)===
 
===Record files deletion events by User (successful and unsuccessful)===
 
The audit system should collect file deletion events for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 
The audit system should collect file deletion events for all users and root. Add the following to '''/etc/audit/audit.rules''', replace '''ARCH''' to ''b32'' or ''b64'' to fit the system:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
 
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
 
-F auid!=4294967295 -k delete
 
-F auid!=4294967295 -k delete
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record system administrator actions===
 
===Record system administrator actions===
 
The audit system should collect system administrator actions for all users and root. Add the following to '''/etc/audit/audit.rules''':
 
The audit system should collect system administrator actions for all users and root. Add the following to '''/etc/audit/audit.rules''':
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /etc/sudoers -p wa -k actions
 
-w /etc/sudoers -p wa -k actions
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Record information on kernel module loading and unloading===
 
===Record information on kernel module loading and unloading===
 
Add the following to '''/etc/audit/audit.rules''' to capture kernel module loading and unloading events:
 
Add the following to '''/etc/audit/audit.rules''' to capture kernel module loading and unloading events:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-w /sbin/insmod -p x -k modules
 
-w /sbin/insmod -p x -k modules
 
-w /sbin/rmmod -p x -k modules
 
-w /sbin/rmmod -p x -k modules
 
-w /sbin/modprobe -p x -k modules
 
-w /sbin/modprobe -p x -k modules
 
-a always,exit -S init_module -S delete_module -k modules
 
-a always,exit -S init_module -S delete_module -k modules
 +
...
 
</pre>
 
</pre>
 +
}}
  
 
===Make the auditd Configuration Immutable===
 
===Make the auditd Configuration Immutable===
 
Add the following as the last rule in '''/etc/audit/audit.rules''' to make the configuration immutable:
 
Add the following as the last rule in '''/etc/audit/audit.rules''' to make the configuration immutable:
 +
{{Box Config|/etc/audit/audit.rules|
 
<pre>
 
<pre>
 +
...
 
-e 2
 
-e 2
 +
...
 
</pre>
 
</pre>
 +
}}
 
After setting this rule, a reboot will be required to change any of the audit rules.
 
After setting this rule, a reboot will be required to change any of the audit rules.
  
Line 228: Line 315:
  
 
For example, to generate a daily report of every user to login to the machine, the following command could be run from cron:
 
For example, to generate a daily report of every user to login to the machine, the following command could be run from cron:
 +
{{Box Command|displaying a report of every user to login to the machine|
 
<pre>
 
<pre>
 
# aureport -l -i -ts yesterday -te today
 
# aureport -l -i -ts yesterday -te today
 
</pre>
 
</pre>
 +
}}
  
 
To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit rules have been triggering:
 
To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit rules have been triggering:
 +
{{Box Command|reviewing all audited activity for unusual behavior|
 
<pre>
 
<pre>
aureport --key --summary
+
# aureport --key --summary
 
</pre>
 
</pre>
 +
}}
  
 
If access violations stand out, review them with:
 
If access violations stand out, review them with:
 +
{{Box Command|reviewing access violations|
 
<pre>
 
<pre>
 
# ausearch --key access --raw | aureport --file --summary
 
# ausearch --key access --raw | aureport --file --summary
 
</pre>
 
</pre>
 +
}}
  
 
To review what executables are doing:
 
To review what executables are doing:
 +
{{Box Command|reviewing what executables are doing|
 
<pre>
 
<pre>
 
# ausearch --key access --raw | aureport -x --summary
 
# ausearch --key access --raw | aureport -x --summary
 
</pre>
 
</pre>
 +
}}
  
 
If access violations have been occurring on a particular file (such as '''/etc/shadow'''), use the following command to determine which user is doing this:
 
If access violations have been occurring on a particular file (such as '''/etc/shadow'''), use the following command to determine which user is doing this:
 +
{{Box Command|reviewing access violations on /etc/shadow|
 
<pre>
 
<pre>
 
# ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i
 
# ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i
 
</pre>
 
</pre>
 +
}}
  
 
Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login failure limits being reached) using:
 
Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login failure limits being reached) using:
 +
{{Box Command|reviewing anomalous activity|
 
<pre>
 
<pre>
 
# aureport --anomaly
 
# aureport --anomaly
 
</pre>
 
</pre>
 +
}}
  
 
==Links==
 
==Links==
 
* [http://www.redhat.com/mailman/listinfo/linux-audit Red Hat Audit Documentation]
 
* [http://www.redhat.com/mailman/listinfo/linux-audit Red Hat Audit Documentation]
 
* [http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html nixCraft Audit HOWTO]
 
* [http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html nixCraft Audit HOWTO]

Latest revision as of 10:10, 10 June 2011

Introduction

The audit service is provided for system auditing. By default, this service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.

Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. Networks with high security level often have substantial auditing requirements and auditd can be configured to meet these requirements:

  • Ensure Auditing is Configured to Collect Certain System Events
  • Information on the Use of Print Command (unsuccessful and successful)
  • Startup and Shutdown Events (unsuccessful and successful)
  • Ensure the auditing software can record the following for each audit event:
    • When the event appears
    • Who initiated the event
    • Type of the event
    • Success or failure of the event
    • Origin of the request (example: terminal ID)
    • For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
  • Ensure daily of the audit logs
  • Ensure that the audit data files have restrictive permissions (at least 640).

Install the audit package

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. Use yum to install the package:

Command: installing the audit service
# yum install audit

Enable the auditd Service

Then to start automatically the auditd service at boot time, use the following command:

Command: autostarting the audit service
# chkconfig auditd on

By default, auditd logs only:

  • SELinux denials,
  • modifications to user accounts (useradd, passwd, etc),
  • login events,
  • sudo calls.

Log files are stored in /var/log/audit/audit.log. auditd rotates logs by size of 5MB with a retention of 4 files. it results by a maximum of 20MB of audit data in total, and auditd refuses to write entries when there is not enough space left of the file system to avoid the risk of audit data filling the file system and impacting other services. However, it is possible to lose audit data if the system is too loaded.

Configure data retention

Amount of data to retain

First of all is to determine the amount of audit data (in megabytes) that will be retained in each log file. Then edit the file /etc/audit/auditd.conf:

Command: editing /etc/audit/auditd.conf
# vi /etc/audit/auditd.conf

Add or modify the following line (where SIZE is the chosen amount of audit data in megabytes):

Config File: /etc/audit/auditd.conf
...
max_log_file = SIZE
...

Dedicated partition

Use a dedicated file system for log files. It is very simple to create such a partition or logical volume during system installation time. The file system should be larger than the maximum space which auditd will use, which is in fact the maximum size of each log file (max_log_file parameter) multiplied by the number of log files (num_logs parameter).

One the file system is created, add the following line into /etc/fstab (modify it to fit the system configuration):

Config File: /etc/fstab
...
/dev/vg/audit   /var/log/audit   ext3    defaults,noexec,nodev,nosuid     0 0
...

Mount the file system using the following command:

Command: mounting /var/log/audit
# mount /var/log/audit

Avoid the loose of audit data

If you don't want to loose any audit data, it is possible to disable the machine when auditing cannot be performed, configure auditd to shutdown the system when the file system for auditing become low.

Edit /etc/audit/auditd.conf:

Command: editing /etc/audit/auditd.conf
# vi /etc/audit/auditd.conf

Add or modify the following lines:

Config File: /etc/audit/auditd.conf
...
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
...

The default action to take when the logs reach their maximum size is to rotate them, deleting the oldest one. If it is more important to retain all possible auditing information, even if it opens the possibility of filling completely the file system and taking the action defined by admin_space_left_action, add or modify the line:

Config File: /etc/audit/auditd.conf
...
max_log_file_action = keep_logs
...

Enable auditing for processes starting before the auditd service

Each process on the system has an auditable flag which indicates whether its activities can be audited. auditd takes care of enabling it for all processes which launch after it does, adding a kernel argument ensures that it is set for every process during boot.

To ensure that all processes can be audited, add the argument audit=1 to the kernel line in /etc/grub.conf:

Config File: /etc/grub.conf
...
kernel /vmlinuz-VERSION ro vga=ext root=/dev/vg/root rhgb quiet audit=1
...

Configure comprehensive auditing rules

The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing but should not be considered as a complete guide.

The audit subsystem supports extensive collection of events, including:

  • Tracing of arbitrary system calls (identified by name or number) on entry or exit.
  • Filtering by PID, UID, call success, system call argument (with some limitations), etc.
  • Monitoring of specific files for modifications to the file’s contents or metadata.

Auditing rules are controlled in the file /etc/audit/audit.rules. All the lines in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested as such. See documentation in /usr/share/doc/audit-VERSION and in the man pages for more details.

Recommended audit rules are provided in the template /usr/share/doc/audit-VERSION/stig.rules. To activate those rules copy them to auditd configuration directory:

Command: copying recommended audit rules
# cp /usr/share/doc/audit-VERSION/stig.rules /etc/audit/audit.rules

Then edit /etc/audit/audit.rules and comment out the lines containing arch= which are not appropriate. Then review the other rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, activate them using the following command:

Command: restarting the auditd service
# service auditd restart

Records events that modify time information

Add the following lines to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=ARCH -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
...

Record events that modify account information

Add the following to /etc/audit/audit.rules to audit events that modify account changes:

Config File: /etc/audit/audit.rules
...
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
...

Record events that modify the network configuration

Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
...

Record events that modify the SElinux configuration

Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /etc/selinux/ -p wa -k MAC-policy
...

Record logon and logout Events

The audit system should collect login info for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
...

Record process and session initiation information

The audit system should collect process information for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
...

Record discretionary access control permission modification events

The audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
...

Record unauthorized access attempts to files (unsuccessful)

The audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
...

Record the use of privileged commands

The audit system should record the execution of privileged commands for all users and root. This requires adding an audit rule to watch execution of each setuid or setgid program.

Run the following command for each local file system to generate rules, one for each setuid or setgid program:

Command: finding files with setuid or setgid
# find FS -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'

Next, add those lines to /etc/audit/audit.rules.

Record information on exporting to Media (successful)

The audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
...

Record files deletion events by User (successful and unsuccessful)

The audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
...

Record system administrator actions

The audit system should collect system administrator actions for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /etc/sudoers -p wa -k actions
...

Record information on kernel module loading and unloading

Add the following to /etc/audit/audit.rules to capture kernel module loading and unloading events:

Config File: /etc/audit/audit.rules
...
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
...

Make the auditd Configuration Immutable

Add the following as the last rule in /etc/audit/audit.rules to make the configuration immutable:

Config File: /etc/audit/audit.rules
...
-e 2
...

After setting this rule, a reboot will be required to change any of the audit rules.

Using aureport

Use the command aureport to design a short series of audit reporting commands suitable for exploring the audit logs on a regular basis. These commands can be added as a cron job by placing an appropriately named file in /etc/cron.daily.

For example, to generate a daily report of every user to login to the machine, the following command could be run from cron:

Command: displaying a report of every user to login to the machine
# aureport -l -i -ts yesterday -te today

To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit rules have been triggering:

Command: reviewing all audited activity for unusual behavior
# aureport --key --summary

If access violations stand out, review them with:

Command: reviewing access violations
# ausearch --key access --raw | aureport --file --summary

To review what executables are doing:

Command: reviewing what executables are doing
# ausearch --key access --raw | aureport -x --summary

If access violations have been occurring on a particular file (such as /etc/shadow), use the following command to determine which user is doing this:

Command: reviewing access violations on /etc/shadow
# ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i

Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login failure limits being reached) using:

Command: reviewing anomalous activity
# aureport --anomaly

Links