Understand the Linux audit system Audit

Introduction

This article describes Audit, the Linux auditing system.

As a Linux audit system, Audit defines audit rules and outputs security-related events that occur in the system to a log file.

By monitoring the message output to the log file, you can detect security-related events.

The following audit rules can be set in Audit.

--Control rules --System call rules --File system rules

Audit overview

Audit starts as an auditd daemon and outputs the audit results received from the kernel to a log file.

General settings are set in the /etc/audit/auditd.conf file.

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

The basic commands for operating Audit are as follows.

command Description
auditctl Make settings related to Audit operation and define Audit rules
ausearch Search audit results from Audit log files
aureport Create a report of audit results from the Audit log file

Audit rules are set by executing the ʻauditctlcommand or in the/etc/audit/rules.d/audit.rules` file for persistent settings.

auditctl ʻThe usage of the auditctl` command is explained for each rule.

Control rule

Make settings related to Audit operation.

--Audit audit is disabled (0), enabled (1), or locked (2) and cannot be changed (when enabled below) # auditctl -e 1 --Display option settings # auditctl -s --Delete all Audit rules # auditctl -D

System call rules

Set rules for system calls.

** Format: auditctl -a , -F = -S -k **

--Define system calls # auditctl -a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change --Check system call rules # auditctl -l

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change

You can check the system call name and system call number specified in -S by referring to the / usr / include / asm / unistd_64.h file or by using the ʻau syscall` command.

--Search by system call name included in open # cat /usr/include/asm/unistd_64.h | grep open

#define __NR_open 2
#define __NR_mq_open 240
#define __NR_openat 257
#define __NR_perf_event_open 298
#define __NR_open_by_handle_at 304

--ʻAusyscall` command searches by system call name included in open

# ausyscall open

open               2
mq_open            240
openat             257
perf_event_open    298
open_by_handle_at  304

File system rules

Set rules for the file system. If the file is written or the attributes are changed, it will be output to the log.

** Format: auditctl -w -p -k **

--Defining file system rules # auditctl -w /etc/passwd -p wa -k identity --Check file system rules # auditctl -l

-w /etc/passwd -p wa -k identity

As an example, if you change the password with the account test, you can see that the password change log is output to the /var/log/audit/audit.log file as shown below.

type=USER_CHAUTHTOK msg=audit(1582528251.037:19125): pid=32026 uid=0 auid=0 ses=2508 subj=unconfined_u:unconfined_r:passwd
_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct="test" exe="/usr/bin/passwd" hostname=localho
st.localdomain addr=? terminal=pts/1 res=success

ausearch The ʻau searchcommand searches the audit log for the log that matches the keyword and outputs it according to the specified conditions. The log file specified bylog_file in the /etc/audit/auditd.conf` file is targeted.

--Search the Audit log file (Hereafter, use -i to convert the date and time and pid into text, and use -k to specify the keyword) # ausearch -i -k time-change

----
type=CONFIG_CHANGE msg=audit(February 24, 2020 15:00:55.539:17800) : auid=root ses=2118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=time-change list=exit res=yes 
----
type=CONFIG_CHANGE msg=audit(February 24, 2020 15:01:17.592:17824) : auid=root ses=2118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=remove_rule key=time-change list=exit res=yes 
----
type=CONFIG_CHANGE msg=audit(February 24, 2020 15:08:59.057:17944) : auid=root ses=2118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=time-change list=exit res=yes

--Search for events that match the specified message type (below, use -m to specify login-related events, and --start today to specify today's date and time) # ausearch -m USER_LOGIN --start today

----
time->Thu Apr 30 21:25:25 2020
type=USER_LOGIN msg=audit(1588249525.137:125): pid=1341 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.10.10 addr=192.168.10.10 terminal=/dev/pts/0 res=success'

--One liner to extract specifiable message types # ausearch -m help 2>&1 | awk -v RS=' ' '/^[A-Z]{2}/{ print}' | sort

aureport The ʻau report` command outputs an audit log report according to the specified conditions.

--Audit report generation (The following is a report about login with -l, text-to-text conversion of date and time and pid with -i, start date and time and end as log search range from -ts to -te Specify the date and time) # aureport -l -i -ts yesterday -te now

Login Report
============================================
# date time auid host term exe success event
============================================
1.February 23, 2020 21:12:44 root <IP address>/dev/pts/0 /usr/sbin/sshd yes 132
2.February 24, 2020 12:52:29 root <IP address> ssh/usr/sbin/sshd no 16883
3.February 24, 2020 12:52:35 root <IP address>/dev/pts/0 /usr/sbin/sshd yes 16901
4.February 24, 2020 15:45:37 root <IP address>/dev/pts/1 /usr/sbin/sshd yes 18626
5.February 24, 2020 18:27:12 root <IP address>/dev/pts/0 /usr/sbin/sshd yes 21660

--Audit report generation (summary) # aureport --summary

Summary Report
======================
Range of time in logs:January 01, 1970 09:00:00.000 -February 24, 2020 16:07:17.070
Selected time for report:January 01, 1970 09:00:00 -February 24, 2020 16:07:17.070
Number of changes in configuration: 220
Number of changes to accounts, groups, or roles: 5
Number of logins: 7
Number of failed logins: 1
Number of authentications: 14
Number of failed authentications: 12
Number of users: 2
Number of terminals: 9
Number of host names: 3
Number of executables: 24
Number of commands: 28
Number of files: 48
Number of AVC's: 3716
Number of MAC events: 9
Number of failed syscalls: 25835
Number of anomaly events: 10
Number of responses to anomaly events: 0
Number of crypto events: 89
Number of integrity events: 0
Number of virt events: 0
Number of keys: 3
Number of process IDs: 13855
Number of events: 90789

Auditing keyboard input

You can use the ʻau report` command to log the command entered in the terminal.

To audit keyboard input, write the following settings in the following file.

session required pam_tty_audit.so disable=* enable=test

Execute the following command to check the operation, and change to the tes user.

--User change # su -l test

As an example, execute the following command as appropriate and log out with ctrl + d.

$ date $ echo "test" $ top

You can check the command executed by the test user in the terminal by executing the following command.

# aureport --tty --start today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1.April 30, 2020 21:58:09 184 0 ? 1 bash "date",<ret>,"echo \"test\"",<ret>,"top",<ret>,<^L>,<^D>

/etc/audit/rules.d/audit.rules Persistent settings are set in the /etc/audit/rules.d/audit.rules file. After changing the settings, restart auditd to reflect the settings.

in conclusion

As a system administrator, Audit is a necessary knowledge.

Audit is designed to meet the requirements of the OS-related security standard ** Controlled Access Protection Profile (CAPP) ** as a standard level for open systems.

reference

-Chapter 6 System Audit -6.5. Definition of AUDIT rules

Recommended Posts

Understand the Linux audit system Audit
Understand the "temporary" part of UNIX / Linux
Linux: Understand the information displayed by the top command
Control the Linux trackpad
Linux system architecture [runlevel]
Understand the attributes of Linux files (ls -l command)
Understand the tensor product (numpy.tensordot)
Device and Linux file system
What is the Linux kernel?
Install the JDK on Linux
The Linux Watchdog driver API
[Linux] Directory under the root
Linux main package management system
Paste the link on linux
Hack Linux fork system calls
[Linux] I tried to summarize the command of resource confirmation system
[Linux ☓ Nvidia] Curve Control the fan
Understand the contents of sklearn's pipeline
Try the Linux kernel lockdown mechanism
Why super-intelligents couldn't understand the class
What is the X Window System?
AlterLinux-About the fully Japanese Linux distribution
linux (kernel) source analysis: system call call
Efficient use of Linux file system
[Linux] Who is the background job! ??