Red Hat TrainingA Red Hat training course is available for RHEL 8 Show
Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux. 14.1. Linux AuditThe Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. The following list summarizes some of the information that Audit is capable of recording in its log files:
The use of the Audit system is also a requirement for a number of security-related certifications. Audit is designed to meet or exceed the requirements of the following certifications or compliance guides:
Audit has also been:
Use Cases Watching file access Audit can track whether a file or a directory has been accessed, modified, executed, or the file’s attributes have been changed. This is useful, for example, to detect access to important files and have an Audit trail available in case one of these files is corrupted. Monitoring system calls Audit can be configured to generate a log entry every time a particular system call is used. This can be used, for example, to track changes to the system time by monitoring the settimeofday, clock_adjtime, and other time-related system calls. Recording commands run by a user Audit can track whether a file has been executed, so rules can be defined to record every execution of a particular command. For example, a rule can be defined for every executable in the /bin directory. The resulting log entries can then be searched by user ID to generate an audit trail of executed commands per user. Recording execution of system pathnames Aside from watching file access which translates a path to an inode at rule invocation, Audit can now watch the execution of a path even if it does not exist at rule invocation, or if the file is replaced after rule invocation. This allows rules to continue to work after upgrading a program executable or before it is even installed. Recording security events The pam_faillock authentication module is capable of recording failed login attempts. Audit can be set up to record failed login attempts as well and provides additional information about the user who attempted to log in. Searching for events Audit provides the ausearch utility, which can be used to filter the log entries and provide a complete audit trail based on several conditions. Running summary reports The aureport utility can be used to generate, among other things, daily reports of recorded events. A system administrator can then analyze these reports and investigate suspicious activity further. Monitoring network access The nftables, iptables, and ebtables utilities can be configured to trigger Audit events, allowing system administrators to monitor network access.System performance may be affected depending on the amount of information that is collected by Audit. 14.2. Audit system architectureThe Audit system consists of two main parts: the user-space applications and utilities, and the kernel-side system call processing. The kernel component receives system calls from user-space applications and filters them through one of the following filters: user, task, fstype, or exit. Once a system call passes the exclude filter, it is sent through one of the aforementioned filters, which, based on the Audit rule configuration, sends it to the Audit daemon for further processing. The user-space Audit daemon collects the information from the kernel and creates entries in a log file. Other Audit user-space utilities interact with the Audit daemon, the kernel Audit component, or the Audit log files:
In RHEL 8, the Audit dispatcher daemon (audisp) functionality is integrated in the Audit daemon (auditd). Configuration files of plugins for the interaction of real-time analytical programs with Audit events are located in the /etc/audit/plugins.d/ directory by default. 14.3. Configuring auditd for a secure environmentThe default auditd configuration should be suitable for most environments. However, if your environment has to meet strict security policies, the following settings are suggested for the Audit daemon configuration in the /etc/audit/auditd.conf file: log_file The directory that holds the Audit log files (usually /var/log/audit/) should reside on a separate mount point. This prevents other processes from consuming space in this directory and provides accurate detection of the remaining space for the Audit daemon. max_log_file Specifies the maximum size of a single Audit log file, must be set to make full use of the available space on the partition that holds the Audit log files. max_log_file_action Decides what action is taken once the limit set in max_log_file is reached, should be set to keep_logs to prevent Audit log files from being overwritten. space_left Specifies the amount of free space left on the disk for which an action that is set in the space_left_action parameter is triggered. Must be set to a number that gives the administrator enough time to respond and free up disk space. The space_left value depends on the rate at which the Audit log files are generated. space_left_action It is recommended to set the space_left_action parameter to email or exec with an appropriate notification method. admin_space_left Specifies the absolute minimum amount of free space for which an action that is set in the admin_space_left_action parameter is triggered, must be set to a value that leaves enough space to log actions performed by the administrator. admin_space_left_action Should be set to single to put the system into single-user mode and allow the administrator to free up some disk space. disk_full_action Specifies an action that is triggered when no free space is available on the partition that holds the Audit log files, must be set to halt or single. This ensures that the system is either shut down or operating in single-user mode when Audit can no longer log events. disk_error_action Specifies an action that is triggered in case an error is detected on the partition that holds the Audit log files, must be set to syslog, single, or halt, depending on your local security policies regarding the handling of hardware malfunctions. flush Should be set to incremental_async. It works in combination with the freq parameter, which determines how many records can be sent to the disk before forcing a hard synchronization with the hard drive. The freq parameter should be set to 100. These parameters assure that Audit event data is synchronized with the log files on the disk while keeping good performance for bursts of activity. The remaining configuration options should be set according to your local security policy. 14.4. Starting and controlling auditdAfter auditd is configured, start the service to collect Audit information and store it in the log files. Use the following command as the root user to start auditd: # service auditd startTo configure auditd to start at boot time: # systemctl enable auditdYou can temporarily disable auditd with the # auditctl -e 0 command and re-enable it with # auditctl -e 1. A number of other actions can be performed on auditd using the service auditd action command, where action can be one of the following: stop Stops auditd. restart Restarts auditd. reload or force-reload Reloads the configuration of auditd from the /etc/audit/auditd.conf file. rotate Rotates the log files in the /var/log/audit/ directory. resume Resumes logging of Audit events after it has been previously suspended, for example, when there is not enough free space on the disk partition that holds the Audit log files. condrestart or try-restart Restarts auditd only if it is already running. status Displays the running status of auditd. The service command is the only way to correctly interact with the auditd daemon. You need to use the service command so that the auid value is properly recorded. You can use the systemctl command only for two actions: enable and status. 14.5. Understanding Audit log filesBy default, the Audit system stores log entries in the /var/log/audit/audit.log file; if log rotation is enabled, rotated audit.log files are stored in the same directory. Add the following Audit rule to log every attempt to read or modify the /etc/ssh/sshd_config file: # auditctl -w /etc/ssh/sshd_config -p warx -k sshd_configIf the auditd daemon is running, for example, using the following command creates a new event in the Audit log file: $ cat /etc/ssh/sshd_configThis event in the audit.log file looks as follows: type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config" type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman" type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1364481363.243:24287) : proctitle=636174002F6574632F7373682F737368645F636F6E666967The above event consists of four records, which share the same time stamp and serial number. Records always start with the type= keyword. Each record consists of several name=value pairs separated by a white space or a comma. A detailed analysis of the above event follows: First Record type=SYSCALL The type field contains the type of the record. In this example, the SYSCALL value specifies that this record was triggered by a system call to the kernel.msg=audit(1364481363.243:24287): The msg field records:
The exit field contains a value that specifies the exit code returned by the system call. This value varies for a different system call. You can interpret the value to its human-readable equivalent with the following command: # ausearch --interpret --exit -13Note that the previous example assumes that your Audit log contains an event that failed with exit code -13. a0=7fffd19c5592, a1=0, a2=7fffd19c5592, a3=a The a0 to a3 fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility. items=1 The items field contains the number of PATH auxiliary records that follow the syscall record. ppid=2686 The ppid field records the Parent Process ID (PPID). In this case, 2686 was the PPID of the parent process such as bash. pid=3538 The pid field records the Process ID (PID). In this case, 3538 was the PID of the cat process. auid=1000 The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user’s identity changes, for example, by switching user accounts with the su - john command. uid=1000 The uid field records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command: ausearch -i --uid UID. gid=1000 The gid field records the group ID of the user who started the analyzed process. euid=1000 The euid field records the effective user ID of the user who started the analyzed process. suid=1000 The suid field records the set user ID of the user who started the analyzed process. fsuid=1000 The fsuid field records the file system user ID of the user who started the analyzed process. egid=1000 The egid field records the effective group ID of the user who started the analyzed process. sgid=1000 The sgid field records the set group ID of the user who started the analyzed process. fsgid=1000 The fsgid field records the file system group ID of the user who started the analyzed process. tty=pts0 The tty field records the terminal from which the analyzed process was invoked. ses=1 The ses field records the session ID of the session from which the analyzed process was invoked. comm="cat" The comm field records the command-line name of the command that was used to invoke the analyzed process. In this case, the cat command was used to trigger this Audit event. exe="/bin/cat" The exe field records the path to the executable that was used to invoke the analyzed process. subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 The subj field records the SELinux context with which the analyzed process was labeled at the time of execution. key="sshd_config" The key field records the administrator-defined string associated with the rule that generated this event in the Audit log.Second Record type=CWDIn the second record, the type field value is CWD — current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process’s location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed. msg=audit(1364481363.243:24287) The msg field holds the same time stamp and ID value as the value in the first record. The time stamp is using the Unix time format - seconds since 00:00:00 UTC on 1 January 1970. cwd="/home/user_name" The cwd field contains the path to the directory in which the system call was invoked.Third Record type=PATH In the third record, the type field value is PATH. An Audit event contains a PATH-type record for every path that is passed to the system call as an argument. In this Audit event, only one path (/etc/ssh/sshd_config) was used as an argument. msg=audit(1364481363.243:24287): The msg field holds the same time stamp and ID value as the value in the first and second record. item=0 The item field indicates which item, of the total number of items referenced in the SYSCALL type record, the current record is. This number is zero-based; a value of 0 means it is the first item. name="/etc/ssh/sshd_config" The name field records the path of the file or directory that was passed to the system call as an argument. In this case, it was the /etc/ssh/sshd_config file. inode=409248The inode field contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the 409248 inode number: Fourth Record type=PROCTITLE The type field contains the type of the record. In this example, the PROCTITLE value specifies that this record gives the full command-line that triggered this Audit event, triggered by a system call to the kernel. proctitle=636174002F6574632F7373682F737368645F636F6E666967 The proctitle field records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents. The 636174002F6574632F7373682F737368645F636F6E666967 value is interpreted as cat /etc/ssh/sshd_config.14.6. Using auditctl for defining and executing Audit rulesThe Audit system operates on a set of rules that define what is captured in the log files. Audit rules can be set either on the command line using the auditctl utility or in the /etc/audit/rules.d/ directory. The auditctl command enables you to control the basic functionality of the Audit system and to define rules that decide which Audit events are logged. File-system rules examples
System-call rules examples
Executable-file rules To define a rule that logs all execution of the /bin/id program, execute the following command: # auditctl -a always,exit -F exe=/bin/id -F arch=b64 -S execve -k execution_bin_idAdditional resources
14.7. Defining persistent Audit rulesTo define Audit rules that are persistent across reboots, you must either directly include them in the /etc/audit/rules.d/audit.rules file or use the augenrules program that reads rules located in the /etc/audit/rules.d/ directory. Note that the /etc/audit/audit.rules file is generated whenever the auditd service starts. Files in /etc/audit/rules.d/ use the same auditctl command-line syntax to specify the rules. Empty lines and text following a hash sign (#) are ignored. Furthermore, you can use the auditctl command to read rules from a specified file using the -R option, for example: # auditctl -R /usr/share/audit/sample-rules/30-stig.rules14.8. Using pre-configured rules filesIn the /usr/share/audit/sample-rules directory, the audit package provides a set of pre-configured rules files according to various certification standards: 30-nispom.rules Audit rule configuration that meets the requirements specified in the Information System Security chapter of the National Industrial Security Program Operating Manual. 30-ospp-v42*.rules Audit rule configuration that meets the requirements defined in the OSPP (Protection Profile for General Purpose Operating Systems) profile version 4.2. 30-pci-dss-v31.rules Audit rule configuration that meets the requirements set by Payment Card Industry Data Security Standard (PCI DSS) v3.1. 30-stig.rules Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG). To use these configuration files, copy them to the /etc/audit/rules.d/ directory and use the augenrules --load command, for example: # cd /usr/share/audit/sample-rules/ # cp 10-base-config.rules 30-stig.rules 31-privileged.rules 99-finalize.rules /etc/audit/rules.d/ # augenrules --loadYou can order Audit rules using a numbering scheme. See the /usr/share/audit/sample-rules/README-rules file for more information. Additional resources
14.9. Using augenrules to define persistent rulesThe augenrules script reads rules located in the /etc/audit/rules.d/ directory and compiles them into an audit.rules file. This script processes all files that end with .rules in a specific order based on their natural sort order. The files in this directory are organized into groups with the following meanings:
The rules are not meant to be used all at once. They are pieces of a policy that should be thought out and individual files copied to /etc/audit/rules.d/. For example, to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. Once you have the rules in the /etc/audit/rules.d/ directory, load them by running the augenrules script with the --load directive: # augenrules --load /sbin/augenrules: No change No rules enabled 1 failure 1 pid 742 rate_limit 0 ...Additional resources
14.10. Disabling augenrulesUse the following steps to disable the augenrules utility. This switches Audit to use rules defined in the /etc/audit/audit.rules file. Procedure
14.11. Setting up Audit to monitor software updatesIn RHEL 8.6 and later versions, you can use the pre-configured rule 44-installers.rules to configure Audit to monitor the following utilities that install software:
By default, rpm already provides audit SOFTWARE_UPDATE events when it installs or updates a package. You can list them by entering ausearch -m SOFTWARE_UPDATE on the command line. In RHEL 8.5 and earlier versions, you can manually add rules to monitor utilities that install software into a .rules file within the /etc/audit/rules.d/ directory. Pre-configured rule files cannot be used on systems with the ppc64le and aarch64 architectures. Procedure
Verification
14.12. Monitoring user login times with AuditTo monitor which users logged in at specific times, you do not need to configure Audit in any special way. You can use the ausearch or aureport tools, which provide different ways of presenting the same information. Procedure To display user log in times, use any one of the following commands:
Additional resources
What do audit logs that track user activity on an information system provide?Audit logs record how often someone accesses a certain document or file, which can give a company invaluable insight. You can use a log audit to learn about user activity, which could be used to boost efficiency, security, and performance.
What is the purpose of audit logs?Audit logging is the process of documenting activity within the software systems used across your organization. Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity.
Which activities are recorded by audit logs?In general, application-level audit trails monitor and log user activities, including data files opened and closed, specific actions, such as reading, editing, and deleting records or fields, and printing reports.
What should audit logs contain?What information should be in an audit log?. User IDs.. Date and time records for when Users log on and off the system.. Terminal ID.. Access to systems, applications, and data – whether successful or not.. Files accessed.. Networks access.. System configuration changes.. System utility usage.. |