Linux Audit Audit (5)--audit rule configuration

Audit can configure rules, this rule is mainly issued to the kernel module, the kernel Audit module will follow this rule to obtain audit information, sent to AUDITD to record logs.

The rule types can be divided into:

1, control rules : Control the audit system rules;

2, File system rules : can also be considered as file monitoring, you can monitor a specific file or a path.

3. System call Rule : You can log system calls for a specific program.

Audit rules can be entered in the command line via AUDITCTL, the rules for these settings are temporary and do not exist when the system restarts. You can configure the/etc/audit/audit.rules file to load rules from this file every time the audit service starts.

auditctl, this command configures audit rules, audit according to these rules to determine which events are logged. The auditctl program was used to control the behavior, get status, and add or delete rules into the 2.6 kernel ' s a Udit System.

Control rules:

-B Sets the maximum value of audit buffer space in the kernel.

-F This option determines how the kernel handles critical erros:0=silent 1=PRINTK 2=panic. The default value is 1.

-e set Enable flag, set to 0, to turn off the audit, set to 1, then turn on audit; When set to 2 o'clock, it is usually set to last after setting up other rules, prevent others from modifying the rules, any behavior that modifies the rule is rejected, and the audit log is logged only when the system is restarted. The Enable flag can only be modified.

-S query audit kernel state. Such as:

Linux-xdyuna:/var/log/audit # Auditctl-1127106  0  81921069785880

-l lists all currently configured rules.

-D deletes all currently loaded rules.

Define file System rules:

Auditctl-w path_to_file-p permissions-k key_name

Path_to_file is the document or path to be audited;

Permissions is the permission to log: read-write execution of therwx file or path, anda modify the properties of the file or path.

file or a directory. W Write file   fileinfile's or directory's Attribute.

Key_name is an optional string that clarifies which rules are generated by these logs. Can be used when filtering.

Examples are as follows:

Define the rules, record all writes to the/etc/passwd file, and attribute modifications, and you can enter the following command:

~]# Auditctl-w /etc/passwd -P wa-k passwd_changes

Log all writes to the/etc/selinux/directory and property modifications, and you can enter the following command:

~]# Auditctl-w /etc/selinux/-P wa-k selinux_changes

Record all executed/sbin/insmod commands, insert the module into the kernel behavior, enter the following command:

~]# Auditctl-w /sbin/insmod -P x-k module_insertion

To define a system call rule:

Auditctl-a action,filter-s system_call-f field=value-k key_name

Action and filter specify that an event is logged. Action can explicitly match the filter for always or never,filter, filter can be: Task,exit,user,exclude.

System_call explicitly the name of the system call, several system calls can be written in a rule, such as-s xxx-s xxx. The name of the system call can be found in the/usr/include/asm/unistd_64.h file.

Field=value as an additional option, modify the rules to match events of a particular schema, groupid,processid, and so on. What are the specific fields, you can refer to man Linux Https://linux.die.net/man/8/auditctl

For example:

Define a rule that, when you use the system to call Adjtimex or Settimeofday, and record the audit log for a 64-bit schema, the command can be entered as follows:

~]# auditctl-a always,exit-f arch=b64-s adjtimex-s settimeofday-k time_change

A file is deleted by the user ID of 1000 or greater, or renamed, logged audit, the command is as follows:

unlink -S unlinkat-s rename-s renameat-f auid>= $-F auid!=4294967295 -k Delete

Note that the-F auid!=4294967295 This is to exclude users who are not set by the login UID.

You can also define file system rules through system call rules, such as the following system call rules, equivalent to the file system rules of-w/etc/shadow-p WA:

~]# auditctl-a always,exit-f path=/etc/shadow-f Perm=wa

Linux Audit Audit (5)--audit rule configuration