Auditing Linux

auditd is the Linux Audit Daemon responsible for writing audit records to disk, logging security-relevant events like user activity, system changes, and access to files or directories, helping with system monitoring and security compliance.

1. Install `auditd` on Ubuntu:

Update the package list:
```
bashCopysudo apt update
```
Install the auditd package:
```
bashCopysudo apt install auditd
```
Verify installation:
```
bashCopyauditctl -v
```
If everything is installed correctly, it will show the version of the audit daemon.

2. Start and Enable `auditd` Service:

Once installed, you need to start the auditd service and enable it to start on boot.

Start the auditd service:
```
bashCopysudo systemctl start auditd
```
Enable the auditd service to start on boot:
```
bashCopysudo systemctl enable auditd
```
Check the status of auditd:
```
bashCopysudo systemctl status auditd
```
This should show active (running) if it's working properly.

Configuring Auditd

The configuration files responsible for auditd is loacated on the following path :

/etc/audit/auditd.conf ## Config File
/etc/audit/audit.rules ## Rules File

Now we we set same basic configs under the config file :

$> sudo nano /etc/audit/auditd.conf

From here we can set & change some basic configurations of the auditd modules and restart the service to apply the changes.

$> sudo systemctl restart auditd

Use Cases

Here are some common use cases for auditd and auditctl in Linux environments. These examples will help you understand how to configure the audit system for security monitoring, compliance, and auditing of key activities on the system.

1. Track File Access or Changes (File Integrity Monitoring)

Use Case: Monitor when critical system files or configuration files are accessed, modified, or deleted.

Example: Monitor changes to /etc/passwd (which contains user account information).

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Explanation: This rule watches the /etc/passwd file for write (w) and attribute change (a) permissions. If any changes occur, it will log the event with the key passwd_changes.

Use Case Application:

Useful for detecting unauthorized changes to user account files or sensitive configuration files, a common attack vector for attackers attempting to add themselves to the system.

2. Monitor Executable Command Usage

Use Case: Track when a user runs certain commands or programs, especially privileged ones.

Example: Monitor all executions of the sudo command.

sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_usage

Explanation: This rule tracks the execution (execve) of the /usr/bin/sudo command on a 64-bit system. Any time a user runs sudo, it will be logged with the key sudo_usage.

Use Case Application:

Useful for detecting privilege escalation or unauthorized attempts to run commands with elevated privileges.

3. Monitor System Calls for Specific Activities

Use Case: Capture specific system calls made by applications or users, such as changes to the system or interaction with the kernel.

Example: Track file creation and deletion (via open and unlink syscalls).

sudo auditctl -a always,exit -F arch=b64 -S open -S unlink -k file_operations

Explanation: This rule monitors the open and unlink syscalls, which are used to open and delete files. Logs are tagged with the key file_operations.

Use Case Application:

This can help in tracking suspicious activities like file deletion or unauthorized file access in real time.

4. Monitor User Logins and Logouts

Use Case: Track user logins and logouts to detect unauthorized access attempts.

Example: Monitor user login attempts through sshd (SSH).

sudo auditctl -w /var/log/auth.log -p r -k user_logins

Explanation: This rule watches the /var/log/auth.log file for read (r) permissions, capturing any logins or authentication attempts.

Use Case Application:

Helps in identifying brute-force login attempts or unauthorized logins to the system via SSH.

5. Monitor Privileged Command Executions

Use Case: Track when users with administrative privileges perform critical actions on the system.

Example: Monitor when a user runs a command that requires root access, such as chmod or chown.

sudo auditctl -a always,exit -F arch=b64 -S chmod -S chown -k privileged_commands

Explanation: This rule tracks the chmod and chown syscalls, which are commonly used to change file permissions or ownership. Any use of these commands will be logged with the key privileged_commands.

Use Case Application:

Detects improper or unauthorized changes to file permissions or ownership, which could indicate an attempt to escalate privileges.

6. Monitor Network Configuration Changes

Use Case: Track changes to networking settings to prevent unauthorized modifications.

Example: Monitor changes to the network interfaces file (/etc/network/interfaces).

sudo auditctl -w /etc/network/interfaces -p wa -k network_changes

Explanation: This rule watches for write (w) or attribute changes (a) to the /etc/network/interfaces file, which typically contains network configuration information.

Use Case Application:

Useful for detecting unauthorized changes to network configurations, such as altering IP settings or adding new routes.

7. Monitor Sudo Usage for Privileged Commands

Use Case: Track any usage of sudo (which grants elevated privileges) to ensure users are only executing authorized commands.

Example: Track usage of sudo to run system commands.

sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -F uid!=0 -k non-root_sudo_usage

Explanation: This rule monitors for non-root users running the sudo command, and logs it with the key non-root_sudo_usage. It helps detect misuse or unusual usage of sudo by non-administrative users.

Use Case Application:

Helps track users who may be executing administrative tasks using sudo inappropriately.

8. Monitor Sensitive File Access (Read Operations)

Use Case: Monitor sensitive files or directories (e.g., /etc/passwd, /etc/shadow, or /root) for unauthorized read access.

Example: Monitor any read access to /etc/shadow (which contains password hashes).

sudo auditctl -w /etc/shadow -p r -k shadow_read

Explanation: This rule watches for read (r) access to the /etc/shadow file, where password hashes are stored. Any such access is logged with the key shadow_read.

Use Case Application:

Helps detect attempts by unauthorized users or processes to access sensitive user data, like password hashes.

9. Track System Reboots

Use Case: Detect when a system is rebooted, which may indicate potential unauthorized restarts or maintenance windows.

Example: Monitor reboot events by auditing the syslog.

sudo auditctl -w /var/log/syslog -p r -k system_reboot

Explanation: This rule watches the /var/log/syslog file for read (r) access. Any time the system is rebooted, entries will be created in syslog and captured under the key system_reboot.

Use Case Application:

Ensures visibility into when the system is restarted, which could be important for tracking incidents, outages, or suspicious behavior.

10. Detect Execution of Unauthorized Programs

Use Case: Track execution of specific programs that are not part of the approved list of applications.

Example: Track the execution of any program in the /tmp directory (which could be used for malicious programs).

sudo auditctl -w /tmp -p x -k tmp_program_execution

Explanation: This rule tracks executable programs (x permission) in the /tmp directory. Any execution of files in this directory will be logged under the key tmp_program_execution.

Use Case Application:

Useful for detecting malicious or unauthorized programs that are running from temporary directories, which are often used by attackers for malware.

Searching & Parsing Logs

1. `ausearch`

ausearch is a tool for searching the audit logs generated by auditd. It allows you to filter logs based on various criteria such as event type, user ID, key, timestamp, and more.

Common Uses of ausearch:

Search by Key:
```
bashCopysudo ausearch -k <key>
```
Example:
```
bashCopysudo ausearch -k sudo_usage
```
- Explanation: This searches for logs tagged with the key sudo_usage.
Search by Event Type (e.g., execve):
```
bashCopysudo ausearch -m execve
```
- Explanation: This searches for all execve syscalls in the audit logs.
Search by Date:
```
bashCopysudo ausearch -ts 2025-02-20
```
- Explanation: This searches for logs generated on February 20, 2025.
Search by User ID (UID):
```
bashCopysudo ausearch -ui 1000
```
- Explanation: This searches for logs associated with the user with UID 1000.

2. `aureport`

aureport generates summary reports from the audit logs. It helps in analyzing the collected audit data by aggregating logs based on various parameters such as event type, user, system call, etc.

Common Uses of aureport:

Generate a Summary of Audit Logs:
```
bashCopysudo aureport
```
- Explanation: Displays a general summary of the audit logs, showing the most common events and actions.
Generate a Report for a Specific Event Type (e.g., user logins):
```
bashCopysudo aureport -u
```
- Explanation: This generates a summary of all user login events.
Generate a Report for Syscalls:
```
bashCopysudo aureport -s execve
```
- Explanation: This generates a summary report of execve syscalls (executions of programs).
Generate a Report for All Authentication Events:
```
bashCopysudo aureport -a
```
- Explanation: Generates a report of authentication events, such as login attempts and sudo usage.

3. `autrace`

autrace is a command that allows you to trace system calls and events. It uses the auditd subsystem to capture and log system calls made by a process. It’s typically used for monitoring the activity of specific programs or system processes.

Common Use of autrace:

Trace a Specific Program's System Calls:
```
bashCopysudo autrace <command>
```
Example:
```
bashCopysudo autrace ls
```
- Explanation: This runs the ls command while tracing the system calls it makes and logs them with auditd.
Trace All Syscalls by a Program:
```
bashCopysudo autrace -p <PID>
```
- Explanation: This will trace all syscalls made by a process with the specified PID.

PreviousPassword Complexiety NextSamba - SMB

Last updated 2 months ago

Auditing Linux

1. Install `auditd` on Ubuntu:

Update the package list:
```
bashCopysudo apt update
```
Install the auditd package:
```
bashCopysudo apt install auditd
```
Verify installation:
```
bashCopyauditctl -v
```
If everything is installed correctly, it will show the version of the audit daemon.

2. Start and Enable `auditd` Service:

Once installed, you need to start the auditd service and enable it to start on boot.

Start the auditd service:
```
bashCopysudo systemctl start auditd
```
Enable the auditd service to start on boot:
```
bashCopysudo systemctl enable auditd
```
Check the status of auditd:
```
bashCopysudo systemctl status auditd
```
This should show active (running) if it's working properly.

Configuring Auditd

The configuration files responsible for auditd is loacated on the following path :

/etc/audit/auditd.conf ## Config File
/etc/audit/audit.rules ## Rules File

Now we we set same basic configs under the config file :

$> sudo nano /etc/audit/auditd.conf

From here we can set & change some basic configurations of the auditd modules and restart the service to apply the changes.

$> sudo systemctl restart auditd

Use Cases

1. Track File Access or Changes (File Integrity Monitoring)

Use Case: Monitor when critical system files or configuration files are accessed, modified, or deleted.

Example: Monitor changes to /etc/passwd (which contains user account information).

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Explanation: This rule watches the /etc/passwd file for write (w) and attribute change (a) permissions. If any changes occur, it will log the event with the key passwd_changes.

Use Case Application:

Useful for detecting unauthorized changes to user account files or sensitive configuration files, a common attack vector for attackers attempting to add themselves to the system.

2. Monitor Executable Command Usage

Use Case: Track when a user runs certain commands or programs, especially privileged ones.

Example: Monitor all executions of the sudo command.

sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_usage

Explanation: This rule tracks the execution (execve) of the /usr/bin/sudo command on a 64-bit system. Any time a user runs sudo, it will be logged with the key sudo_usage.

Use Case Application:

Useful for detecting privilege escalation or unauthorized attempts to run commands with elevated privileges.

3. Monitor System Calls for Specific Activities

Use Case: Capture specific system calls made by applications or users, such as changes to the system or interaction with the kernel.

Example: Track file creation and deletion (via open and unlink syscalls).

sudo auditctl -a always,exit -F arch=b64 -S open -S unlink -k file_operations

Explanation: This rule monitors the open and unlink syscalls, which are used to open and delete files. Logs are tagged with the key file_operations.

Use Case Application:

This can help in tracking suspicious activities like file deletion or unauthorized file access in real time.

4. Monitor User Logins and Logouts

Use Case: Track user logins and logouts to detect unauthorized access attempts.

Example: Monitor user login attempts through sshd (SSH).

sudo auditctl -w /var/log/auth.log -p r -k user_logins

Explanation: This rule watches the /var/log/auth.log file for read (r) permissions, capturing any logins or authentication attempts.

Use Case Application:

Helps in identifying brute-force login attempts or unauthorized logins to the system via SSH.

5. Monitor Privileged Command Executions

Use Case: Track when users with administrative privileges perform critical actions on the system.

Example: Monitor when a user runs a command that requires root access, such as chmod or chown.

sudo auditctl -a always,exit -F arch=b64 -S chmod -S chown -k privileged_commands

Explanation: This rule tracks the chmod and chown syscalls, which are commonly used to change file permissions or ownership. Any use of these commands will be logged with the key privileged_commands.

Use Case Application:

Detects improper or unauthorized changes to file permissions or ownership, which could indicate an attempt to escalate privileges.

6. Monitor Network Configuration Changes

Use Case: Track changes to networking settings to prevent unauthorized modifications.

Example: Monitor changes to the network interfaces file (/etc/network/interfaces).

sudo auditctl -w /etc/network/interfaces -p wa -k network_changes

Explanation: This rule watches for write (w) or attribute changes (a) to the /etc/network/interfaces file, which typically contains network configuration information.

Use Case Application:

Useful for detecting unauthorized changes to network configurations, such as altering IP settings or adding new routes.

7. Monitor Sudo Usage for Privileged Commands

Use Case: Track any usage of sudo (which grants elevated privileges) to ensure users are only executing authorized commands.

Example: Track usage of sudo to run system commands.

sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -F uid!=0 -k non-root_sudo_usage

Explanation: This rule monitors for non-root users running the sudo command, and logs it with the key non-root_sudo_usage. It helps detect misuse or unusual usage of sudo by non-administrative users.

Use Case Application:

Helps track users who may be executing administrative tasks using sudo inappropriately.

8. Monitor Sensitive File Access (Read Operations)

Use Case: Monitor sensitive files or directories (e.g., /etc/passwd, /etc/shadow, or /root) for unauthorized read access.

Example: Monitor any read access to /etc/shadow (which contains password hashes).

sudo auditctl -w /etc/shadow -p r -k shadow_read

Explanation: This rule watches for read (r) access to the /etc/shadow file, where password hashes are stored. Any such access is logged with the key shadow_read.

Use Case Application:

Helps detect attempts by unauthorized users or processes to access sensitive user data, like password hashes.

9. Track System Reboots

Use Case: Detect when a system is rebooted, which may indicate potential unauthorized restarts or maintenance windows.

Example: Monitor reboot events by auditing the syslog.

sudo auditctl -w /var/log/syslog -p r -k system_reboot

Explanation: This rule watches the /var/log/syslog file for read (r) access. Any time the system is rebooted, entries will be created in syslog and captured under the key system_reboot.

Use Case Application:

Ensures visibility into when the system is restarted, which could be important for tracking incidents, outages, or suspicious behavior.

10. Detect Execution of Unauthorized Programs

Use Case: Track execution of specific programs that are not part of the approved list of applications.

Example: Track the execution of any program in the /tmp directory (which could be used for malicious programs).

sudo auditctl -w /tmp -p x -k tmp_program_execution

Explanation: This rule tracks executable programs (x permission) in the /tmp directory. Any execution of files in this directory will be logged under the key tmp_program_execution.

Use Case Application:

Useful for detecting malicious or unauthorized programs that are running from temporary directories, which are often used by attackers for malware.

Searching & Parsing Logs

1. `ausearch`

ausearch is a tool for searching the audit logs generated by auditd. It allows you to filter logs based on various criteria such as event type, user ID, key, timestamp, and more.

Common Uses of ausearch:

Search by Key:
```
bashCopysudo ausearch -k <key>
```
Example:
```
bashCopysudo ausearch -k sudo_usage
```
- Explanation: This searches for logs tagged with the key sudo_usage.
Search by Event Type (e.g., execve):
```
bashCopysudo ausearch -m execve
```
- Explanation: This searches for all execve syscalls in the audit logs.
Search by Date:
```
bashCopysudo ausearch -ts 2025-02-20
```
- Explanation: This searches for logs generated on February 20, 2025.
Search by User ID (UID):
```
bashCopysudo ausearch -ui 1000
```
- Explanation: This searches for logs associated with the user with UID 1000.

2. `aureport`

aureport generates summary reports from the audit logs. It helps in analyzing the collected audit data by aggregating logs based on various parameters such as event type, user, system call, etc.

Common Uses of aureport:

Generate a Summary of Audit Logs:
```
bashCopysudo aureport
```
- Explanation: Displays a general summary of the audit logs, showing the most common events and actions.
Generate a Report for a Specific Event Type (e.g., user logins):
```
bashCopysudo aureport -u
```
- Explanation: This generates a summary of all user login events.
Generate a Report for Syscalls:
```
bashCopysudo aureport -s execve
```
- Explanation: This generates a summary report of execve syscalls (executions of programs).
Generate a Report for All Authentication Events:
```
bashCopysudo aureport -a
```
- Explanation: Generates a report of authentication events, such as login attempts and sudo usage.

3. `autrace`

Common Use of autrace:

Trace a Specific Program's System Calls:
```
bashCopysudo autrace <command>
```
Example:
```
bashCopysudo autrace ls
```
- Explanation: This runs the ls command while tracing the system calls it makes and logs them with auditd.
Trace All Syscalls by a Program:
```
bashCopysudo autrace -p <PID>
```
- Explanation: This will trace all syscalls made by a process with the specified PID.

PreviousPassword Complexiety NextSamba - SMB

Last updated 2 months ago

1. Install auditd on Ubuntu:

2. Start and Enable auditd Service:

Configuring Auditd

Use Cases

1. Track File Access or Changes (File Integrity Monitoring)

2. Monitor Executable Command Usage

3. Monitor System Calls for Specific Activities

4. Monitor User Logins and Logouts

5. Monitor Privileged Command Executions

6. Monitor Network Configuration Changes

7. Monitor Sudo Usage for Privileged Commands

8. Monitor Sensitive File Access (Read Operations)

9. Track System Reboots

10. Detect Execution of Unauthorized Programs

Searching & Parsing Logs

1. ausearch

2. aureport

3. autrace

1. Install auditd on Ubuntu:

2. Start and Enable auditd Service:

Configuring Auditd

Use Cases

1. Track File Access or Changes (File Integrity Monitoring)

2. Monitor Executable Command Usage

3. Monitor System Calls for Specific Activities

4. Monitor User Logins and Logouts

5. Monitor Privileged Command Executions

6. Monitor Network Configuration Changes

7. Monitor Sudo Usage for Privileged Commands

8. Monitor Sensitive File Access (Read Operations)

9. Track System Reboots

10. Detect Execution of Unauthorized Programs

Searching & Parsing Logs

1. ausearch

2. aureport

3. autrace

1. Install `auditd` on Ubuntu:

2. Start and Enable `auditd` Service:

1. `ausearch`

2. `aureport`

3. `autrace`

1. Install `auditd` on Ubuntu:

2. Start and Enable `auditd` Service:

1. `ausearch`

2. `aureport`

3. `autrace`