Getting started with auditd

Since 2.6 Linux has had an audit framework available. It allows you to monitor system calls and filesystem access which can be a very useful additional layer of security.

Installation

The main components which make up the audit framework are the kernel level code and a daemon process called auditd. Under CentOS 7 all you need to do to get auditd up and running is install the audit package:

yum install -y audit

Once the audit package is installed the auditd daemon should be running:

$ systemctl status auditd
* auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-02-04 16:20:35 GMT; 21h ago
     Docs: man:auditd(8)
           https://people.redhat.com/sgrubb/audit/
  Process: 1159 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1188 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Main PID: 1187 (auditd)
   CGroup: /system.slice/auditd.service
           +-1187 /sbin/auditd -n

Feb 04 16:20:35 localhost.localdomain systemd[1]: Starting Security Auditing Service...
Feb 04 16:20:35 localhost.localdomain auditd[1187]: Started dispatcher: /sbin/audispd pid: 1191
Feb 04 16:20:35 localhost.localdomain auditd[1187]: Init complete, auditd 2.6.5 listening for events (startup state enable)
Feb 04 16:20:35 localhost.localdomain systemd[1]: Started Security Auditing Service.

Note: by default auditd will log events to /var/log/audit/audit.log. Although the max_log_file and num_logs options in /etc/audit/auditd.conf will limit how much space can be used by logs, it's normally a good idea to make /var/log/audit a separate filesystem.

Default rules

Without any additional configuration auditd will log several standard events. The aureport and ausearch commands can be used to query the events. For example if you want to see recent authentication events you can use the --auth option:

$ aureport  --auth

Authentication Report
============================================ 
# date time acct host term exe success event 
============================================ 
1. 16/01/17 21:17:24 root ? tty1 /usr/bin/login yes 39
2. 16/01/17 21:23:01 root 10.0.2.2 ssh /usr/sbin/sshd no 56
3. 16/01/17 21:23:03 root gateway ssh /usr/sbin/sshd yes 57
4. 16/01/17 21:23:03 root 10.0.2.2 ssh /usr/sbin/sshd yes 60
5. 04/02/17 15:52:57 root 10.0.2.2 ssh /usr/sbin/sshd no 43
6. 04/02/17 15:53:01 root gateway ssh /usr/sbin/sshd yes 45
7. 04/02/17 15:53:01 root 10.0.2.2 ssh /usr/sbin/sshd yes 48
8. 05/02/17 14:30:02 root 10.0.2.2 ssh /usr/sbin/sshd no 295
9. 05/02/17 14:30:04 root gateway ssh /usr/sbin/sshd yes 296

Or if you want to find out when a tool like tcpdump was used to perform a packet capture, you can search for ANOM_PROMISCUOUS events:

$ ausearch --message ANOM_PROMISCUOUS
---- 
time->Sun Feb  5 14:45:00 2017
type=ANOM_PROMISCUOUS msg=audit(1486305900.162:474): dev=enp0s3 prom=0 old_prom=256 auid=0 uid=72 gid=72 ses=25
---- 
time->Sun Feb  5 14:44:59 2017
type=SYSCALL msg=audit(1486305899.049:473): arch=c000003e syscall=54 success=yes exit=0 a0=3 a1=107 a2=1 a3=7ffcdd1ff030 items=0 ppid=11488 pid=11491 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=25 comm="tcpdump" exe="/usr/sbin/tcpdump" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Adding rules

Auditd can also be given custom rules to record addition events. Audit rules can be controlled using the auditctl command, however to get persistent rules you need to write them to a configuration file. Rules are normally stored under /etc/audit/rules.d/, and should normally only be accessible by the root user:

$ ls -l /etc/audit/rules.d/somerules.rules
-rw-------. 1 root root 39 Feb  5 14:12 /etc/audit/rules.d/somerules.rules

auditd needs to reload it's configuration before it starts using any new rules:

$ augenrules --load

Note: RefuseManualStop=yes is set in the systemd unit file so running systemctl restart auditd.service will fail.

Monitoring file access

Configuring auditd to monitor filesystem access is relatively straightforward. For example if you want to monitor files under /etc/ being changed you could use a rule similar to the following:

-w /etc/ -p wa -k system_configuration

This rule will produce an audit message if any files under /etc/ are written to (w) or have any attributes changed (a). For example updating /etc/motd will produce log entries similar to the following:

23 key="system_configuration"
type=CWD msg=audit(1486305706.792:409):  cwd="/root"
type=PATH msg=audit(1486305706.792:409): item=0 name="/etc/" inode=4194369 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1486305706.792:409): item=1 name="/etc/motd" inode=4195234 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL

Monitoring system calls

auditd can also monitor arbitrary system calls. For example if you want to monitor when the hostname of a server is changed, you could audit the sethostname system call:

-a always,exit -F arch=b64 -S sethostname -k set-hostname

Note: -F arch=b64 is set to limit the rule to 64 bit system calls.

This will produce log messages similar to the following if commands like hostname are called:

$ ausearch --key set-hostname
---- 
time->Tue Feb  7 23:34:03 2017
type=CONFIG_CHANGE msg=audit(1486510443.032:59): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="set-hostname" list=4 res=1
---- 
time->Tue Feb  7 23:34:08 2017
type=SYSCALL msg=audit(1486510448.375:60): arch=c000003e syscall=170 success=yes exit=0 a0=1196010 a1=6 a2=6 a3=7fff5d76c730 items=0 ppid=979 pid=1364 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="hostname" exe="/usr/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="set-hostname"