# Auditing Linux
`auditd` is the Linux Audit Daemon responsible for writing audit records to disk, logging security-relevant events like user activity, system changes, and access to files or directories, helping with system monitoring and security compliance.
#### **1. Install `auditd` on Ubuntu:**
1. Update the package list:
```bash
bashCopysudo apt update
```
2. Install the `auditd` package:
```bash
bashCopysudo apt install auditd
```
3. Verify installation:
```bash
bashCopyauditctl -v
```
If everything is installed correctly, it will show the version of the audit daemon.
#### **2. Start and Enable `auditd` Service:**
Once installed, you need to start the `auditd` service and enable it to start on boot.
1. Start the `auditd` service:
```bash
bashCopysudo systemctl start auditd
```
2. Enable the `auditd` service to start on boot:
```bash
bashCopysudo systemctl enable auditd
```
3. Check the status of `auditd`:
```bash
bashCopysudo systemctl status auditd
```
This should show `active (running)` if it's working properly.
***
#### Configuring Auditd
The configuration files responsible for auditd is loacated on the following path :
```bash
/etc/audit/auditd.conf ## Config File
/etc/audit/audit.rules ## Rules File
```
Now we we set same basic configs under the config file :
```bash
$> sudo nano /etc/audit/auditd.conf
```
From here we can set & change some basic configurations of the auditd modules and restart the service to apply the changes.
{% code overflow="wrap" %}
```bash
$> sudo systemctl restart auditd
```
{% endcode %}
***
## Use Cases
Here are some common **use cases** for `auditd` and `auditctl` in Linux environments. These examples will help you understand how to configure the audit system for security monitoring, compliance, and auditing of key activities on the system.
#### **1. Track File Access or Changes (File Integrity Monitoring)**
**Use Case**: Monitor when critical system files or configuration files are accessed, modified, or deleted.
**Example: Monitor changes to `/etc/passwd` (which contains user account information).**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
```
{% endcode %}
* **Explanation**: This rule watches the `/etc/passwd` file for **write** (`w`) and **attribute change** (`a`) permissions. If any changes occur, it will log the event with the key `passwd_changes`.
**Use Case Application**:
* Useful for detecting unauthorized changes to user account files or sensitive configuration files, a common attack vector for attackers attempting to add themselves to the system.
***
#### **2. Monitor Executable Command Usage**
**Use Case**: Track when a user runs certain commands or programs, especially privileged ones.
**Example: Monitor all executions of the `sudo` command.**
{% code overflow="wrap" %}
```bash
sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_usage
```
{% endcode %}
* **Explanation**: This rule tracks the execution (`execve`) of the `/usr/bin/sudo` command on a 64-bit system. Any time a user runs `sudo`, it will be logged with the key `sudo_usage`.
**Use Case Application**:
* Useful for detecting privilege escalation or unauthorized attempts to run commands with elevated privileges.
***
#### **3. Monitor System Calls for Specific Activities**
**Use Case**: Capture specific system calls made by applications or users, such as changes to the system or interaction with the kernel.
**Example: Track file creation and deletion (via `open` and `unlink` syscalls).**
{% code overflow="wrap" %}
```bash
sudo auditctl -a always,exit -F arch=b64 -S open -S unlink -k file_operations
```
{% endcode %}
* **Explanation**: This rule monitors the `open` and `unlink` syscalls, which are used to open and delete files. Logs are tagged with the key `file_operations`.
**Use Case Application**:
* This can help in tracking suspicious activities like file deletion or unauthorized file access in real time.
***
#### **4. Monitor User Logins and Logouts**
**Use Case**: Track user logins and logouts to detect unauthorized access attempts.
**Example: Monitor user login attempts through `sshd` (SSH).**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /var/log/auth.log -p r -k user_logins
```
{% endcode %}
* **Explanation**: This rule watches the `/var/log/auth.log` file for read (`r`) permissions, capturing any logins or authentication attempts.
**Use Case Application**:
* Helps in identifying brute-force login attempts or unauthorized logins to the system via SSH.
***
#### **5. Monitor Privileged Command Executions**
**Use Case**: Track when users with administrative privileges perform critical actions on the system.
**Example: Monitor when a user runs a command that requires root access, such as `chmod` or `chown`.**
{% code overflow="wrap" %}
```bash
sudo auditctl -a always,exit -F arch=b64 -S chmod -S chown -k privileged_commands
```
{% endcode %}
* **Explanation**: This rule tracks the `chmod` and `chown` syscalls, which are commonly used to change file permissions or ownership. Any use of these commands will be logged with the key `privileged_commands`.
**Use Case Application**:
* Detects improper or unauthorized changes to file permissions or ownership, which could indicate an attempt to escalate privileges.
***
#### **6. Monitor Network Configuration Changes**
**Use Case**: Track changes to networking settings to prevent unauthorized modifications.
**Example: Monitor changes to the network interfaces file (`/etc/network/interfaces`).**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /etc/network/interfaces -p wa -k network_changes
```
{% endcode %}
* **Explanation**: This rule watches for **write** (`w`) or **attribute changes** (`a`) to the `/etc/network/interfaces` file, which typically contains network configuration information.
**Use Case Application**:
* Useful for detecting unauthorized changes to network configurations, such as altering IP settings or adding new routes.
***
#### **7. Monitor Sudo Usage for Privileged Commands**
**Use Case**: Track any usage of `sudo` (which grants elevated privileges) to ensure users are only executing authorized commands.
**Example: Track usage of `sudo` to run system commands.**
{% code overflow="wrap" %}
```bash
sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -F uid!=0 -k non-root_sudo_usage
```
{% endcode %}
* **Explanation**: This rule monitors for non-root users running the `sudo` command, and logs it with the key `non-root_sudo_usage`. It helps detect misuse or unusual usage of `sudo` by non-administrative users.
**Use Case Application**:
* Helps track users who may be executing administrative tasks using `sudo` inappropriately.
***
#### **8. Monitor Sensitive File Access (Read Operations)**
**Use Case**: Monitor sensitive files or directories (e.g., `/etc/passwd`, `/etc/shadow`, or `/root`) for unauthorized read access.
**Example: Monitor any read access to `/etc/shadow` (which contains password hashes).**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /etc/shadow -p r -k shadow_read
```
{% endcode %}
* **Explanation**: This rule watches for **read** (`r`) access to the `/etc/shadow` file, where password hashes are stored. Any such access is logged with the key `shadow_read`.
**Use Case Application**:
* Helps detect attempts by unauthorized users or processes to access sensitive user data, like password hashes.
***
#### **9. Track System Reboots**
**Use Case**: Detect when a system is rebooted, which may indicate potential unauthorized restarts or maintenance windows.
**Example: Monitor `reboot` events by auditing the `syslog`.**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /var/log/syslog -p r -k system_reboot
```
{% endcode %}
* **Explanation**: This rule watches the `/var/log/syslog` file for read (`r`) access. Any time the system is rebooted, entries will be created in `syslog` and captured under the key `system_reboot`.
**Use Case Application**:
* Ensures visibility into when the system is restarted, which could be important for tracking incidents, outages, or suspicious behavior.
***
#### **10. Detect Execution of Unauthorized Programs**
**Use Case**: Track execution of specific programs that are not part of the approved list of applications.
**Example: Track the execution of any program in the `/tmp` directory (which could be used for malicious programs).**
{% code overflow="wrap" %}
```bash
sudo auditctl -w /tmp -p x -k tmp_program_execution
```
{% endcode %}
* **Explanation**: This rule tracks executable programs (`x` permission) in the `/tmp` directory. Any execution of files in this directory will be logged under the key `tmp_program_execution`.
**Use Case Application**:
* Useful for detecting malicious or unauthorized programs that are running from temporary directories, which are often used by attackers for malware.
***
## Searching & Parsing Logs
#### **1. `ausearch`**
`ausearch` is a tool for searching the audit logs generated by `auditd`. It allows you to filter logs based on various criteria such as event type, user ID, key, timestamp, and more.
**Common Uses of `ausearch`:**
* **Search by Key**:
```bash
bashCopysudo ausearch -k
```
**Example**:
```bash
bashCopysudo ausearch -k sudo_usage
```
* **Explanation**: This searches for logs tagged with the key `sudo_usage`.
* **Search by Event Type** (e.g., `execve`):
```bash
bashCopysudo ausearch -m execve
```
* **Explanation**: This searches for all `execve` syscalls in the audit logs.
* **Search by Date**:
```bash
bashCopysudo ausearch -ts 2025-02-20
```
* **Explanation**: This searches for logs generated on February 20, 2025.
* **Search by User ID (UID)**:
```bash
bashCopysudo ausearch -ui 1000
```
* **Explanation**: This searches for logs associated with the user with UID `1000`.
***
#### **2. `aureport`**
`aureport` generates summary reports from the audit logs. It helps in analyzing the collected audit data by aggregating logs based on various parameters such as event type, user, system call, etc.
**Common Uses of `aureport`:**
* **Generate a Summary of Audit Logs**:
```bash
bashCopysudo aureport
```
* **Explanation**: Displays a general summary of the audit logs, showing the most common events and actions.
* **Generate a Report for a Specific Event Type** (e.g., user logins):
```bash
bashCopysudo aureport -u
```
* **Explanation**: This generates a summary of all user login events.
* **Generate a Report for Syscalls**:
```bash
bashCopysudo aureport -s execve
```
* **Explanation**: This generates a summary report of `execve` syscalls (executions of programs).
* **Generate a Report for All Authentication Events**:
```bash
bashCopysudo aureport -a
```
* **Explanation**: Generates a report of authentication events, such as login attempts and sudo usage.
***
#### **3. `autrace`**
`autrace` is a command that allows you to trace system calls and events. It uses the `auditd` subsystem to capture and log system calls made by a process. It’s typically used for monitoring the activity of specific programs or system processes.
**Common Use of `autrace`:**
* **Trace a Specific Program's System Calls**:
```bash
bashCopysudo autrace
```
**Example**:
```bash
bashCopysudo autrace ls
```
* **Explanation**: This runs the `ls` command while tracing the system calls it makes and logs them with `auditd`.
* **Trace All Syscalls by a Program**:
```bash
bashCopysudo autrace -p
```
* **Explanation**: This will trace all syscalls made by a process with the specified PID.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/server-are-fun/securing-linux/auditing-linux.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.