Home

Awesome

Auditd - The Linux Auditing System

The Linux Auditing system has been widely adopted as a way to meet auditing standards and aid forensics investigations. Combined with a Host Intrusion Detection System, Auditd can be used for more than just forensics, it can be used to help find intrusion attempts and successful attacks. This repository aims to be a collection of examples, guidance and background information to help an administrator or security engineer deploy auditd in a detection capacity.

Configuring Auditd

###/etc/audit/auditd.conf

Settings in auditd.conf should be defined based on the importance of log integrity and how long you would like to keep records.

Here are the options that manage log rotation:

flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75

The "_action" options determine how errors or disk space issues should be handled:

admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

###/etc/audit/audit.rules

Example rule sets for most Linux distributions are stored in /usr/share/doc/auditd/examples

This contains all of the rules that are loaded when the system starts, most audit.rules files start with the following control rules:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## Set failure mode to panic
-f 2

Followed by the audit rules:

-a exit,always -S unlink -S rmdir
-a exit,always -S stime.*
-a exit,always -S setrlimit.*
-w /etc/group -p wa 
-w /etc/passwd -p wa 
-w /etc/shadow -p wa 
-w /etc/sudoers -p wa

The audit.rules file should end with the immutability settings:

#Enable auditd
-e 1 

#Make the configuration immutable, a reboot is required to change the configuration settings or rulesets.
-e 2 

Rules can be stored in '''/etc/audit/audit.rules''' or the ruleset can be changed while the daemon is running using the auditctl command.

##Rules “audit rules come in 3 varieties: control, file, and syscall”

###Options

-a action list: always log on syscall exit
-F field 
-S syscall: execve
-k Logging Key: programs

###Sample Rules

-a always,exit -F arch=b32 -F uid=33 -S execve -k programs -k www
-a always,exit -F arch=b64 -F uid=33 -S execve -k programs -k www
-a always,exit -F arch=b32 -C auid!=uid -S execve -k su_program -k programs
-a always,exit -F arch=b64 -C auid!=uid -S execve -k su_program -k programs
-a exit,always -S unlink -S rmdir
-a exit,always -S stime.*
-a exit,always -S setrlimit.*
-w /var/www -p wa
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa

##Commands ###auditd auditd -f - foreground auditd, messages go to stderr SIGHUP - Reconfigure Auditd, re-read configuration files

"A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. "

###auditctl "auditctl program is used to control the behavior, get status, and add or delete rules into the 2.6 kernel’s audit system."

auditctl - l - List current rule set

####Control Behavior

####Manage Rules

###ausearch

###aureport

ausearch and aureport together

Both ausearch and aureport are able to take in raw audit logs from STDIN, here is an example where we are looking at the executable report for a specific event:

sysadmin@server:~$ sudo ausearch --event 662 --raw | aureport --executable --interpret

Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/27/2015 16:13:29 /usr/bin/whoami (none) ? unset 662

#Links

Man Pages

Intro to Auditd

Reporting and Alerting

Presentations

Upcoming

##PCI-DSS

##CIS Benchmark