Audit system Call Log

I. Audit INTRODUCTION

Audit is a system in a Linux system that records the user's underlying invocation, such as recording a user's execution of a open,exit system call.
The record is written to the log file.
Audit can add or remove audit rules by using the Auditctl command . Set a record for a user , or for a
The process is logged . Audit consists of 2 main commands:

AUDITD Audit Service process (start or close audit process)
Auditctl Audit Rule Setup tool (add, modify, or delete audit rules)

If SELinux is turned on, you need to turn on AUDITD to record system calls at the bottom of the system

Two. Installation of Audit 1.rpm package

The gtes10,10.5,11 version has the audit package installed by default and can be used directly.

2. Source code Installation

Audit can be installed from the source code.

Source: http://people.redhat.com/sgrubb/audit/Installation Method: # tar zxf audit-1.6.2.tgz# cd audit-1.6.2# aclocal && autoconf & amp;& autoheader && automake#./configure--sbindir=/sbin--mandir=/usr/share/man--libdir=/lib# make# make Install

Three. Audit related tools Introduction 1.AUDITD

AUDITD is a user-space program for the audit system. The primary function is to write the audit record information to disk. (so the backlog needs to be set to cache buffer size)
Audit reads 2 configuration files at boot time:

/etc/audit/auditd.conf Audit configuration file
/etc/audit/audit.rules Audit Rules File

These 2 files are generated when the audit is installed.

AUDITD How to use:

AUDITD [-F]-f auditd runs in the foreground and is used when debugging.

2.auditctl Introduction

The auditctl is used to control the audit in the kernel and can be used to obtain audit status and additions and deletions audit rules.

How to use the command:

Auditctl [options]-b <backlog> set the audit buffer size (default is 64). If the buffer is full, the kernel will issue a failure token.-e [0|1] Enable/ Disable audit auditing.-f [0..2] Sets the rating of the failure flag, 0,1,2 three values, 0 is not output log, 1 is output PRINTK log, 2 is the highest level, the log information will be output. This option is used to set the level audit get error .  The triggering conditions for error flags are: Routing errors to the user space audit  process, unhandled transactions out of range, exceeding the kernel memory range, exceeding the rate range. The default value is 1. In a secure environment can be set to 2.-h help-I read audit rules from a file Ignore the error.-L Displays all rules .-k <key> a keyword for a audit rule. The keyword can be a 31-byte long string. Used to filter audit records .-m  Text sends a message to the audit system. Only the root user can use .-r <rate> to set the information rate per second. If the actual amount of information exceeds this rate, a failure token is generated .-r <file> Reads a rule from a file. There is only one rule per line. The owning user of the rule file must be root, and the other user does not have Read permissions. Note lines that begin with # can be used in the file.-S output status information .-a <l,a> Adds a rule to the end of a list. l represents the list, and a represents the action of the rule. The following is the list name that is available:task  add a rule to each task list. This list of rules is used only when a task is established (when the parent process calls fork (), Clone ()).  entry  add a rule to the system call entry list .exit  add a rule to the system call Exit Table .user  Add a filter to the user Information table. Before the information is transmitted to the audit process, Kernel Use this list to filter event information in user space, you can use fields that have: uid,auid,gid,pid.exclude  to add a rule to the Event Type exclusion table. This table is used to filter out information that you do not want to display. such as: If you do not want to display any AVC information, add it to this list. The following describes the actions that can be used in rules (a):never  does not produce audit records .always  assigns an AudiThe T context, adds it to the beginning of the system call, and writes out a record message when the system call exits .-a <l,a> adds a rule to the beginning of the list .-d <l,a> removes a rule from the list.-d deletes all rules.-S  [syscall name or number|all] You can use the system call name or number. You can also use all. You can also specify multiple system calls in one rule to increase efficiency.-f [n=v &NBSP;|&NBSP;N!=V&NBSP;|&NBSP;N&LT;V&NBSP;|&NBSP;N&GT;V&NBSP;|&NBSP;N&LT;=V&NBSP;|&NBSP;N&GT;=V] Establish rule field:  Name, operation, parameter. A command line can have 64 fields, each of which must start with-F. Each field will trigger a audit record. There are =,!=,<,>,<=,>= operators that can be used. The fields you can use are: A0,&NBSP;A1,  a2, a34 numeric parameters are used to represent system calls. The string cannot be used. The CPU architecture called by the Arch system. You can use ' uname -m ' to get this value. If the machine's architecture is not clear, but requires the use of a 32-bit system call table, And the machine also supports 32-bit, You can still use the 32-bit system call table. Auid the ID.B32CPU schema of the user login. 64-bit systems can use the B64.devmajor device's main number Devminor device's slave number Egid group Ideuid The return value of the user Idexit system call fsgid the file system group Idfsuid File System User Idgid Group Idinodeindoe key sets the filter keyword Msgtype to match the information type code. Used only to exclude filtered tables. The SELinux role of the SELinux user Obj_role resources for Obj_user Resources Obj_ Type resource of SELinux for the Obj_lev_low resource of SELinux low-level OBJ_LEV_ High resource SELinux The full path of the files that are being monitored by the path. Use only the exit table. Pers operating system encoding PID process IDPPID process parent Idsubj_user program SELinux user subj_ The SELinux role of the Roles program Subj_type program SELinux type Subj_sen program SELinux sensitivity SUBJ_CLR Program selInux clearance rate Sgidsgid bit success true or Yes if the return value is >=0, otherwise false/no. When writing rules, use 1 for true/yes, 0 for false/ No.suidsuid bit UID User id-w <path> inserts a logger in the specified path, not the topmost directory, This is forbidden by kernel. And you cannot use wildcards. The logger records the operation process inside the inode. If you place a logger in a directory, the various file events are logged. However, it is only modified metadata. This may cause a small number of events to be lost. If you need to monitor all files in the directory , it is recommended that you place a logger for each file. The logger differs from the audit rule and has no effect on performance .-w <path> removes a logger from the specified path.

Four. Audit example

# ps -ef | grep audit if the system has not started audit, manually start the AUDIT.# AUDITD now add Audit rule: first check the audit run status #  auditctl -saudit_status: enabled=1 flag=1 pid=1585 rate_limit=0 backlog_ Limit=256 lost=0 backlog=0 View Existing audit rules # auditctl -lno rules add a audit rule, Record the Maj user's open system call # auditctl -a entry,always -s open -f uid= 500 in another terminal with Maj User login, log in and execute a LS command. Delete this audit rule # auditctl -d entry,always -s open -f  uid=500 View audit log, which has the following similar content: Type=syscall msg=audit (1192418517.442:12): arch=40000003  syscall=5 success=yes exit=3 a0=3fc3b7 a1=0 a2=ffffffff a3=0 items=1  Pid=31832 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid= 500 sgid=500 fsgid=500 comm= "ls"  exe= "/bin/ls" Type=cwd msg=audit (11,924,185,17.,442:12):  cwd= "/home/maj" Type=path msg=audit (1192418517.442:12):  name= "/etc/ld.so.cache"  flags=101 inode=4674033 dev=03:05 mode=0100644  ouid=0 ogid=500 rdev=00:00 ...

Audit system Call Log