2. About
● Included in RHEL4+ and all other linux
distros (SuSE used their own product for
SLES 9 but switched in SLES 10)
● Supports CAPP, LSPP, RSBAC, NISPOM,
FISMA, PCI-DSS, STIG, EAL4+
● Minimal overhead, integrated with the linux
kernel
● Support sudo/su etc and not not “possible” to
bypass
● Can audit more or less everything
● Hard to read audit logs
4. Commands
auditctl - Control script. Status, add/remove
rules etc
ausearch - search in logs
aureport - give an report
5. Easy example
auditctl -w /etc/passwd -p rwa -k "reading
password file"
-w = File monitored
-p = Permissions to monitor. Can be Read,
Write, Execute or Append
-k = Message in the logs
6. Easy example II
auditctl -w /tmp -p e -k "Someone is using /tmp"
Checks if someone is using /tmp
auditctl -a entry,always -S all -F pid=1005
Monitor everything a PID does...
auditctl -l
shows current rules
7. Searching logs
ausearch -i -f /etc/passwd
could give:
type=PATH msg=audit(07/15/2013 15:03:43.153:9090) : item=0
name=/etc/passwd inode=656631 dev=fd:01 mode=file,644 ouid=root ogid=root
rdev=00:00
type=CWD msg=audit(07/15/2013 15:03:43.153:9090) : cwd=/root
type=SYSCALL msg=audit(07/15/2013 15:03:43.153:9090) : arch=x86_64
syscall=open success=yes exit=3 a0=7fffd13addf0 a1=0 a2=619908
a3=7fffd13ad560 items=1 ppid=1255 pid=1801 auid=torstein uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1
comm=grep exe=/bin/grep key=reading password file
An user (torstein) have used /bin/grep form the directory /root as the user root
to view the file
8. Other searches
ausearch -ts 01/01/13 -k password-file
ausearch -ts today -k password-file -x rm
(show's who deleted the password file today)
ausearch -ts today -k "reading password file"
-ui 0 (check's who's been using root to check
the password file)
9. More advanced
● Logs to /var/log/audit/
● /etc/audit/auditd.conf is the config for the
daemon. Can be configured to halt on full
disk or require reboot to change rules
● /etc/audit/audit.rules is the rules it will load
on startup. See example files it ships.. But it
could look like this:
-w /etc/passwd -p wa -k identity