Auditd-Linux server security audit tool

Source: Internet
Author: User

Auditd-Linux server security audit tool

Next we will start introducing this Auditd new year audit tool. Security Protection is the first consideration. To prevent others from stealing our data, we need to keep an eye on it. Security Protection includes many things, and audit is one of them.

We know that there is an audit tool named auditd on Linux. This tool is installed by default in most Linux operating systems. So what is auditd? How should I use it? Next we will introduce it.

What is auditd?

Auditd (or auditd Daemon) is a component of the user space in the Linux audit system. It writes audit records to disks.

Install auditd

In Ubuntu, we can use the wajig tool or apt-get tool to install auditd.

Follow the instructions below to install auditd. After installation, the following auditd and related tools will be automatically installed:

  • Auditctl: a tool that instantly controls the actions of the audit daemon, such as adding rules.
  • /Etc/audit. rules: file that records audit rules.
  • Aureport: A Tool for viewing and generating audit reports.
  • Ausearch: A Tool for searching audit events
  • Auditspd: forwards Event Notifications to other applications, instead of writing them to audit log files.
  • Autrace: a command used to track processes.
  • /Etc/audit/auditd. conf: configuration file of the auditd tool.

After you install auditd for the first time, the audit rules are empty.

You can use the following command to View Details:

  1. $ Sudo auditctl-l

The following describes how to add audit rules to auditd.

How to Use auditdAudit file and directory access audit

A basic requirement for using audit tools is the change of monitoring files and directories. You can use the following command to configure the auditd tool (Note: The following command requires the root permission ).

Document Audit

  1. $ Sudo auditctl-w/etc/passwd-p rwxa

Option:

  • -W path: Specifies the path to be monitored. The preceding command specifies the monitored file path/etc/passwd.
  • -P: Specifies the access permission for the file/directory that triggers the audit.
  • Rwxa: specified trigger condition, r read permission, w write permission, x execution permission, a attribute (attr)
Directory Audit

Use similar commands to audit directories as follows:

  1. $ Sudo auditctl-w/production/

The preceding command monitors all access to the/production directory.

Now, run the auditctl-l command to view all configured rules.

The following describes audit logs.

View audit logs

After adding a rule, we can view the auditd log. You can use the ausearch tool to view the auditd log.

We have added the/etc/passwd file for rule monitoring. Now you can use the following commands of the ausearch tool to view audit logs.

  1. $ Sudo ausearch-f/etc/passwd
  • -F sets ausearch to call up the audit content of the/etc/passwd file

The output is as follows:

time->Mon Dec 22 09:39:16 2014

type=PATH msg=audit(1419215956.471:194): item=0 name="/etc/passwd" inode=142512 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

type=CWD msg=audit(1419215956.471:194): cwd="/home/pungki"

type=SYSCALL msg=audit(1419215956.471:194): arch=40000003 syscall=5 success=yes exit=3 a0=b779694b a1=80000 a2=1b6 a3=b8776aa8 items=1 ppid=2090 pid=2231 auid=4294967295 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)

The output result is explained below.

  • Time: audit time.
  • Name: Audit Object
  • Cwd: current path
  • Syscall: related system calls
  • Auid: Audit User ID
  • Uid and gid: User ID and user group ID of the file to be accessed
  • Comm: command used to access files
  • Exe: the executable file path of the above command

The above audit log shows that the file has not been changed.

Here we will add a user to see how auditd records changes to the file/etc/passwd.

time->Mon Dec 22 11:25:23 2014

type=PATH msg=audit(1419222323.628:510): item=1 name="/etc/passwd.lock" inode=143992 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE

type=PATH msg=audit(1419222323.628:510): item=0 name="/etc/" inode=131073 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT

type=CWD msg=audit(1419222323.628:510): cwd="/root"

type=SYSCALL msg=audit(1419222323.628:510): arch=40000003 syscall=10 success=yes exit=0 a0=bfc0ceec a1=0 a2=bfc0ceec a3=897764c items=2 ppid=2978 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chfn" exe="/usr/bin/chfn" key=(null)

We can see that at the specified time,/etc/passwd ** was modified under the/root directory by the root user (uid = 0, gid = 0. The/etc/passwd file is accessed using/usr/bin/chfn.

Type man chfn to view more information about chfn.

Next we will look at another example.

We have configured auditd to monitor the directory/production. This is a new directory. So when we use ausearch to view logs, we will find that there is nothing.

Next, use the ls command of the root account to list the file information under/production. When you use ausearch again, some information is displayed.

time->Mon Dec 22 14:18:28 2014 type=PATH msg=audit(1419232708.344:527): item=0 name="/production/" inode=797104 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1419232708.344:527): cwd="/root" type=SYSCALL msg=audit(1419232708.344:527): arch=40000003 syscall=295 success=yes exit=3 a0=ffffff9c a1=95761e8 a2=98800 a3=0 items=1 ppid=3033 pid=3444 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="ls" exe="/bin/ls" key=(null)

Like the previous one, it can be concluded that the root account uses the ls command to access the/production/directory. The file directory of the ls command is/bin/ls.

View audit report

Once an audit rule is defined, it runs automatically. After a while, we can see how auditd helped us track the audit.

Auditd provides another tool called aureport. As you can guess from the name, aureport is a tool that uses system audit logs to generate a brief report.

We have configured auditd to trace the/etc/passwd file. After the auditd parameter is set, the audit. log file is created.

We can use the aureport tool to generate audit reports. You can generate an overview of the audit activities without parameters.

  1. $ Sudo aureport

As shown above, the report contains information about most important areas.

It can be seen that three failed authorizations. With aureport, we can view this information in depth.

Run the following command to view details about failed authorization:

  1. $ Sudo aureport-au

It can be seen that two users fail to grant permissions at a specific time.

If you want to view all the Account Modification related events, you can use the-m parameter.

  1. $ Sudo aureport-m

Auditd configuration file

We have added the following rules:

  • $ Sudo auditctl-w/etc/passwd-p rwxa
  • $ Sudo auditctl-w/production/

Now, if you are sure that these rules work properly, you can add them to/etc/audit. rules to make them permanently valid. The following describes how to add them to/etc/audit. rules.

Finally, don't forget to restart the auditd daemon.

  1. #/Etc/init. d/auditd restart

Or

  1. # Service auditd restart

Summary

Auditd is an audit tool on Linux. You can read the auidtd document to learn more about using auditd and tools. For example, enter man auditd to see detailed description of auditd, or enter man ausearch to see detailed description about the ausearch tool.

Exercise caution when creating rules. Too many rules will greatly increase log files!

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.