Introduction
AuditD is a userspace component of the Linux Auditing System, responsible for writing audit records to the disk. These audit records provide system administrators with valuable information to determine if unauthorized access or other security incidents are occurring. Installing and configuring AuditD on AlmaLinux 9 is essential for maintaining a secure and monitored system.
Install AuditD
Configure System Auditing by Auditd. It's possible to monitor System Calls, Security Events, File Accesses, Commands Executing and so on.
Step [1] Audit package is installed by default even if minimal installation of AlmaLinux 9, however if not, Install it like follows.
[root@auditd ~]# dnf -y install audit
[root@auditd ~]# systemctl enable --now auditd
Step [2]It's possible to change some settings of Auditd on auditd.conf.
[root@auditd ~]# vi /etc/audit/auditd.conf
# line 7 : specify logfile
log_file = /var/log/audit/audit.log
# line 12 : maximum size of a logfile (MegaBytes)
max_log_file = 8
# line 13 : number of logfiles if specified [max_log_file_action=ROTATE]
num_logs = 5
# line 15: hostname in logfiles
# valid value : NONE, HOSTNAME, FQD, NUMERIC, USER
name_format = NONE
# line 16: hostname you like if specified [name_format=USER]
##name = mydomain
# line 17: specify action if the size of a logfile is over the limit
# valid value : IGNORE, SYSLOG, SUSPEND, ROTATE, KEEP_LOGS
max_log_file_action = ROTATE
Transfer Logs and Remote Host
Configure Auditd to transfer logs to remote host. This example is based on the environment like follows.
+-----------------------+ | +-------------------------+
| [ Auditd Server ] | 10.0.0.30 | 10.0.0.51 | [ Auditd Client ] |
| auditd.bizantum.lab +-----------+-----------+ client01.bizantum.lab |
| | | |
+-----------------------+ +-------------------------+
Step [1]Configure Auditd Host that receives Audit logs from remote hosts.
[root@auditd ~]# vi /etc/audit/auditd.conf
# line 27 : uncomment and specify listening port
tcp_listen_port = 60
[root@auditd ~]# service auditd restart
# fail by [systemctl restart] because of dependency
Step [2]If Firewalld is running on Audit receiver Host, allow audit service.
[root@auditd ~]# firewall-cmd --add-service=audit
success
[root@auditd ~]# firewall-cmd --runtime-to-permanent
success
Step [3]Configure Auditd Client Host that sends Audit logs.
[root@client01 ~]# dnf -y install audispd-plugins
[root@client01 ~]# vi /etc/audit/plugins.d/au-remote.conf
# line 6 : change
active = yes
[root@client01 ~]# vi /etc/audit/audisp-remote.conf
# line 6 : remote host to send logs
remote_server = auditd.bizantum.lab
# line 7 : specify port
# ⇒ the one which remote server is listening
port = 60
[root@client01 ~]# vi /etc/audit/auditd.conf
# line 9 : change
# ⇒ not record logs on local filesystem
log_format = NOLOG
[root@client01 ~]# service auditd restart
Step [4]That's OK, Audit logs on remote hosts are recorded like follows.
[root@auditd ~]# grep client01 /var/log/audit/audit.log
type=SOFTWARE_UPDATE msg=audit(1646975987.725:149): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-1.7.0-11.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=client01.bizantum.lab addr=? terminal=ttyS0 res=success'
type=SOFTWARE_UPDATE msg=audit(1646975987.725:150): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-bdb-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=client01.bizantum.lab addr=? terminal=ttyS0 res=success'
type=SOFTWARE_UPDATE msg=audit(1646975987.725:151): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-openssl-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=client01.bizantum.lab addr=? terminal=ttyS0 res=success'
.....
.....
Search Logs with Ausearch
Some Audit rules are set by default like System Login, Modification of User Accounts, Sudo Actions and so on, there logs are recorded in [/var/log/audit/audit.log].
Step [1]The logs are text format, so it's possible to see logs directly.
[root@auditd ~]# tail -5 /var/log/audit/audit.log
type=SERVICE_STOP msg=audit(1646976126.110:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1646976126.124:376): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1646976150.679:377): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=BPF msg=audit(1646976150.712:378): prog-id=79 op=UNLOAD
type=BPF msg=audit(1646976150.712:379): prog-id=78 op=UNLOAD
Step [2]Many logs are recorded in [audit.log] and they are complicated, so [ausearch] command is provided by Audit package to search specific logs.
# search USER_LOGIN related logs
[root@auditd ~]# ausearch --message USER_LOGIN --interpret
----
type=USER_LOGIN msg=audit(11/25/2021 18:26:50.936:87) : pid=884 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
----
type=USER_LOGIN msg=audit(11/26/2021 01:22:54.878:79) : pid=854 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
----
type=USER_LOGIN msg=audit(12/07/2021 22:31:29.947:82) : pid=861 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
----
type=USER_LOGIN msg=audit(12/07/2021 22:36:31.962:68) : pid=849 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
.....
.....
# search sudo actions by userID 1000
[root@auditd ~]# ausearch -x sudo -ua 1000
----
time->Thu Mar 10 23:21:54 2022
type=USER_AUTH msg=audit(1646976114.048:341): pid=3246 uid=1000 auid=1000 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="alma" exe="/usr/bin/sudo" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=success'
----
time->Thu Mar 10 23:21:54 2022
type=USER_ACCT msg=audit(1646976114.081:342): pid=3246 uid=1000 auid=1000 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="alma" exe="/usr/bin/sudo" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=success'
----
time->Thu Mar 10 23:21:54 2022
type=USER_CMD msg=audit(1646976114.081:343): pid=3246 uid=1000 auid=1000 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/alma" cmd=636174202F6574632F736861646F77 exe="/usr/bin/sudo" terminal=ttyS0 res=success'
.....
.....
# search failure events on [auditd.bizantum.lab]
[root@auditd ~]# ausearch --host auditd.bizantum.lab --success no
----
time->Thu Mar 10 23:25:15 2022
type=USER_AUTH msg=audit(1646976315.473:406): pid=3329 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=failed'
----
time->Thu Mar 10 23:25:26 2022
type=USER_AUTH msg=audit(1646976326.418:410): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="alma" exe="/usr/bin/sudo" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=failed'
----
time->Thu Mar 10 23:25:30 2022
type=USER_AUTH msg=audit(1646976330.290:411): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="alma" exe="/usr/bin/sudo" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=failed'
.....
.....
# search logs by a user who has login userID 1000 from 2022/3/10 to 2022/3/11
[root@auditd ~]# ausearch --start 03/10/2022 --end 03/11/2022 -ul 1000
----
time->Thu Mar 10 23:25:36 2022
type=CRED_DISP msg=audit(1646976336.981:414): pid=3293 uid=0 auid=1000 ses=12 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="alma" exe="/usr/bin/login" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=success'
----
time->Thu Mar 10 23:25:36 2022
type=USER_END msg=audit(1646976336.983:415): pid=3293 uid=0 auid=1000 ses=12 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="alma" exe="/usr/bin/login" hostname=auditd.bizantum.lab addr=? terminal=/dev/ttyS0 res=success'
.....
.....
Display Summary Logs with Aureport
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
Step [1]This is how to use [aureport] command.
# display whole summary without arguments
[root@auditd ~]# aureport
Summary Report
======================
Range of time in logs: 11/25/2021 18:25:45.522 - 03/10/2022 23:26:12.211
Selected time for report: 11/25/2021 18:25:45 - 03/10/2022 23:26:12.211
Number of changes in configuration: 225
Number of changes to accounts, groups, or roles: 6
Number of logins: 23
Number of failed logins: 0
Number of authentications: 25
Number of failed authentications: 4
Number of users: 3
Number of terminals: 4
Number of host names: 5
Number of executables: 18
Number of commands: 14
Number of files: 1
Number of AVC's: 11
Number of MAC events: 64
Number of failed syscalls: 11
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 22
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 171
Number of events: 3755
# display kind of authentication logs
[root@auditd ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 11/25/2021 18:26:50 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 69
2. 11/26/2021 01:22:54 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 61
3. 12/07/2021 22:31:29 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64
4. 12/07/2021 22:36:31 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 50
5. 12/20/2021 18:55:21 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64
.....
.....
25. 03/10/2022 23:25:15 root auditd.bizantum.lab /dev/ttyS0 /usr/bin/su no 406
26. 03/10/2022 23:25:26 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 410
27. 03/10/2022 23:25:30 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 411
28. 03/10/2022 23:25:33 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 412
29. 03/10/2022 23:25:41 root auditd.bizantum.lab /dev/ttyS0 /usr/bin/login yes 422
# display kind of failure authentication logs
[root@auditd ~]# aureport -au --failed --summary
Failed Authentication Summary Report
=============================
total acct
=============================
3 alma
1 root
# display kind of modification of user accounts logs
[root@auditd ~]# aureport -m -i
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146
2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147
3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148
4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125
5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126
6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127
# display kind of modification of user accounts logs since this month
[root@auditd ~]# aureport -m -i --start this-month
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146
2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147
3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148
4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125
5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126
6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127
# display kind of executing logs
[root@auditd ~]# aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 5
2. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 6
3. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 7
4. 11/25/2021 18:25:45 /usr/lib/systemd/systemd ? ? unset 8
5. 11/25/2021 18:25:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
.....
.....
2694. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441
2695. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442
2696. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162
2697. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163
2698. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443
# display kind of executing logs from 2022/3/10 to 2022/3/11
[root@auditd ~]# aureport -x -i --start 03/10/2022 --end 03/11/2022
Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 5
2. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 6
3. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 7
4. 03/10/2022 18:59:36 /usr/lib/systemd/systemd ? ? unset 8
5. 03/10/2022 18:59:36 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
.....
.....
903. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441
904. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442
905. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162
906. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163
907. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443
Step [2]Search and Display logs with [ausearch] and [aureport] like follows.
# search and display sudo logs by UserID 1000
[root@auditd ~]# ausearch -x sudo -ua 1000 | aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 03/10/2022 23:21:54 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo yes 341
2. 03/10/2022 23:25:26 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 410
3. 03/10/2022 23:25:30 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 411
4. 03/10/2022 23:25:33 alma auditd.bizantum.lab /dev/ttyS0 /usr/bin/sudo no 412
# search and display executing logs by UserID 1000
[root@auditd ~]# ausearch -ui 1000 | aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 auditd.bizantum.lab alma 280
2. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 auditd.bizantum.lab alma 281
3. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 auditd.bizantum.lab alma 282
4. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 auditd.bizantum.lab alma 283
5. 03/10/2022 23:21:32 /usr/bin/su /dev/ttyS0 auditd.bizantum.lab alma 284
.....
.....
15. 03/10/2022 23:25:26 /usr/bin/sudo /dev/ttyS0 auditd.bizantum.lab alma 410
16. 03/10/2022 23:25:30 /usr/bin/sudo /dev/ttyS0 auditd.bizantum.lab alma 411
17. 03/10/2022 23:25:33 /usr/bin/sudo /dev/ttyS0 auditd.bizantum.lab alma 412
18. 03/10/2022 23:25:35 /usr/bin/sudo ttyS0 ? alma 413
Add Audit Rules
It's possible to add your own Audit rules like follows.
Step [1]For example, Configure Audit rule that records writing and attributes change for [/etc/hosts].
# display current rules (no rules by default like follows)
[root@auditd ~]# auditctl -l
No rules
# -p [r|w|x|a] : specify target action for Audit
# r=read, w=write, x=execute, a=attributes
# -k [words] : set keys for searching logs
[root@auditd ~]# auditctl -w /etc/hosts -p wa -k hosts_change
[root@auditd ~]# auditctl -l
-w /etc/hosts -p wa -k hosts_change
Step [2]When some actions are set and it is detected by new Audit rules, Audit logs are recorded like follows.
[root@auditd ~]# ausearch -k hosts_change | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2022 23:36:38 /etc/hosts~ rename yes /usr/bin/vim root 447
2. 03/10/2022 23:36:38 /etc/hosts openat yes /usr/bin/vim root 448
3. 03/10/2022 23:36:38 /etc/hosts setxattr yes /usr/bin/vim root 449
4. 03/10/2022 23:36:38 (null) fchmod yes /usr/bin/vim root 450
5. 03/10/2022 23:36:38 /etc/hosts setxattr yes /usr/bin/vim root 451
Step [3]Rules added by [auditctl] command are not kept after restarting System, so it needs to add them in a file under [/etc/audit/rules.d] if you'd like to keep persistently. It's OK to add rules to any file name you like under [/etc/audit/rules.d], but extension should be [.rules].
# output current rules to [additional.rules]
[root@auditd ~]# auditctl -l >> /etc/audit/rules.d/additional.rules
Step [4]If you set a directory for Audit Target, all files are targeted recursively under the directory.
# set Audit rule (reading) to [/home/testdir/]
[root@auditd ~]# auditctl -w /home/testdir/ -p r -k testdir_audit
[root@auditd ~]# auditctl -l
-w /home/testdir -p r -k testdir_audit
# logs are recorded like follows
[root@auditd ~]# ausearch -k testdir_audit | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2022 23:42:15 /home/testdir sendto yes /usr/sbin/auditctl root 93
2. 03/10/2022 23:42:44 /home/ sendto yes /usr/sbin/auditctl unset 8
3. 03/10/2022 23:48:14 /home/ sendto yes /usr/sbin/auditctl unset 8
Step [5]For exmaple, Set Audit rule that monitors files removed by users who has over UID 1000. By the way, for the option by [S] below, you can make sure all System Calls with [man syscalls], maybe after installing [dnf install man-pages].
[root@auditd ~]# auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit
[root@auditd ~]# auditctl -l
-w /home/testdir -p r -k testdir_audit
-a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit
# logs are recorded like follows
[root@auditd ~]# ausearch -k delete_audit | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2022 23:55:07 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd alma 165
2. 03/10/2022 23:55:07 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd alma 166
3. 03/10/2022 23:55:18 /home/testdir/test.txt unlinkat yes /usr/bin/rm alma 177
- Get link
- X
- Other Apps
AffanBaihaqi_
Bizantum
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.