Auditing Linux
auditd is the Linux Audit Daemon responsible for writing audit records to disk, logging security-relevant events like user activity, system changes, and access to files or directories, helping with system monitoring and security compliance.
1. Install auditd on Ubuntu:
auditd on Ubuntu:Update the package list:
bashCopysudo apt updateInstall the
auditdpackage:bashCopysudo apt install auditdVerify installation:
bashCopyauditctl -vIf everything is installed correctly, it will show the version of the audit daemon.
2. Start and Enable auditd Service:
auditd Service:Once installed, you need to start the auditd service and enable it to start on boot.
Start the
auditdservice:bashCopysudo systemctl start auditdEnable the
auditdservice to start on boot:bashCopysudo systemctl enable auditdCheck the status of
auditd:bashCopysudo systemctl status auditdThis should show
active (running)if it's working properly.
Configuring Auditd
The configuration files responsible for auditd is loacated on the following path :
/etc/audit/auditd.conf ## Config File
/etc/audit/audit.rules ## Rules FileNow we we set same basic configs under the config file :
$> sudo nano /etc/audit/auditd.conf 
From here we can set & change some basic configurations of the auditd modules and restart the service to apply the changes.
$> sudo systemctl restart auditdUse Cases
Here are some common use cases for auditd and auditctl in Linux environments. These examples will help you understand how to configure the audit system for security monitoring, compliance, and auditing of key activities on the system.
1. Track File Access or Changes (File Integrity Monitoring)
Use Case: Monitor when critical system files or configuration files are accessed, modified, or deleted.
Example: Monitor changes to /etc/passwd (which contains user account information).
sudo auditctl -w /etc/passwd -p wa -k passwd_changesExplanation: This rule watches the
/etc/passwdfile for write (w) and attribute change (a) permissions. If any changes occur, it will log the event with the keypasswd_changes.
Use Case Application:
Useful for detecting unauthorized changes to user account files or sensitive configuration files, a common attack vector for attackers attempting to add themselves to the system.
2. Monitor Executable Command Usage
Use Case: Track when a user runs certain commands or programs, especially privileged ones.
Example: Monitor all executions of the sudo command.
sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_usageExplanation: This rule tracks the execution (
execve) of the/usr/bin/sudocommand on a 64-bit system. Any time a user runssudo, it will be logged with the keysudo_usage.
Use Case Application:
Useful for detecting privilege escalation or unauthorized attempts to run commands with elevated privileges.
3. Monitor System Calls for Specific Activities
Use Case: Capture specific system calls made by applications or users, such as changes to the system or interaction with the kernel.
Example: Track file creation and deletion (via open and unlink syscalls).
sudo auditctl -a always,exit -F arch=b64 -S open -S unlink -k file_operationsExplanation: This rule monitors the
openandunlinksyscalls, which are used to open and delete files. Logs are tagged with the keyfile_operations.
Use Case Application:
This can help in tracking suspicious activities like file deletion or unauthorized file access in real time.
4. Monitor User Logins and Logouts
Use Case: Track user logins and logouts to detect unauthorized access attempts.
Example: Monitor user login attempts through sshd (SSH).
sudo auditctl -w /var/log/auth.log -p r -k user_loginsExplanation: This rule watches the
/var/log/auth.logfile for read (r) permissions, capturing any logins or authentication attempts.
Use Case Application:
Helps in identifying brute-force login attempts or unauthorized logins to the system via SSH.
5. Monitor Privileged Command Executions
Use Case: Track when users with administrative privileges perform critical actions on the system.
Example: Monitor when a user runs a command that requires root access, such as chmod or chown.
sudo auditctl -a always,exit -F arch=b64 -S chmod -S chown -k privileged_commandsExplanation: This rule tracks the
chmodandchownsyscalls, which are commonly used to change file permissions or ownership. Any use of these commands will be logged with the keyprivileged_commands.
Use Case Application:
Detects improper or unauthorized changes to file permissions or ownership, which could indicate an attempt to escalate privileges.
6. Monitor Network Configuration Changes
Use Case: Track changes to networking settings to prevent unauthorized modifications.
Example: Monitor changes to the network interfaces file (/etc/network/interfaces).
sudo auditctl -w /etc/network/interfaces -p wa -k network_changesExplanation: This rule watches for write (
w) or attribute changes (a) to the/etc/network/interfacesfile, which typically contains network configuration information.
Use Case Application:
Useful for detecting unauthorized changes to network configurations, such as altering IP settings or adding new routes.
7. Monitor Sudo Usage for Privileged Commands
Use Case: Track any usage of sudo (which grants elevated privileges) to ensure users are only executing authorized commands.
Example: Track usage of sudo to run system commands.
sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -F uid!=0 -k non-root_sudo_usageExplanation: This rule monitors for non-root users running the
sudocommand, and logs it with the keynon-root_sudo_usage. It helps detect misuse or unusual usage ofsudoby non-administrative users.
Use Case Application:
Helps track users who may be executing administrative tasks using
sudoinappropriately.
8. Monitor Sensitive File Access (Read Operations)
Use Case: Monitor sensitive files or directories (e.g., /etc/passwd, /etc/shadow, or /root) for unauthorized read access.
Example: Monitor any read access to /etc/shadow (which contains password hashes).
sudo auditctl -w /etc/shadow -p r -k shadow_readExplanation: This rule watches for read (
r) access to the/etc/shadowfile, where password hashes are stored. Any such access is logged with the keyshadow_read.
Use Case Application:
Helps detect attempts by unauthorized users or processes to access sensitive user data, like password hashes.
9. Track System Reboots
Use Case: Detect when a system is rebooted, which may indicate potential unauthorized restarts or maintenance windows.
Example: Monitor reboot events by auditing the syslog.
sudo auditctl -w /var/log/syslog -p r -k system_rebootExplanation: This rule watches the
/var/log/syslogfile for read (r) access. Any time the system is rebooted, entries will be created insyslogand captured under the keysystem_reboot.
Use Case Application:
Ensures visibility into when the system is restarted, which could be important for tracking incidents, outages, or suspicious behavior.
10. Detect Execution of Unauthorized Programs
Use Case: Track execution of specific programs that are not part of the approved list of applications.
Example: Track the execution of any program in the /tmp directory (which could be used for malicious programs).
sudo auditctl -w /tmp -p x -k tmp_program_executionExplanation: This rule tracks executable programs (
xpermission) in the/tmpdirectory. Any execution of files in this directory will be logged under the keytmp_program_execution.
Use Case Application:
Useful for detecting malicious or unauthorized programs that are running from temporary directories, which are often used by attackers for malware.
Searching & Parsing Logs
1. ausearch
ausearchausearch is a tool for searching the audit logs generated by auditd. It allows you to filter logs based on various criteria such as event type, user ID, key, timestamp, and more.
Common Uses of ausearch:
Search by Key:
bashCopysudo ausearch -k <key>Example:
bashCopysudo ausearch -k sudo_usageExplanation: This searches for logs tagged with the key
sudo_usage.
Search by Event Type (e.g.,
execve):bashCopysudo ausearch -m execveExplanation: This searches for all
execvesyscalls in the audit logs.
Search by Date:
bashCopysudo ausearch -ts 2025-02-20Explanation: This searches for logs generated on February 20, 2025.
Search by User ID (UID):
bashCopysudo ausearch -ui 1000Explanation: This searches for logs associated with the user with UID
1000.
2. aureport
aureportaureport generates summary reports from the audit logs. It helps in analyzing the collected audit data by aggregating logs based on various parameters such as event type, user, system call, etc.
Common Uses of aureport:
Generate a Summary of Audit Logs:
bashCopysudo aureportExplanation: Displays a general summary of the audit logs, showing the most common events and actions.
Generate a Report for a Specific Event Type (e.g., user logins):
bashCopysudo aureport -uExplanation: This generates a summary of all user login events.
Generate a Report for Syscalls:
bashCopysudo aureport -s execveExplanation: This generates a summary report of
execvesyscalls (executions of programs).
Generate a Report for All Authentication Events:
bashCopysudo aureport -aExplanation: Generates a report of authentication events, such as login attempts and sudo usage.
3. autrace
autraceautrace is a command that allows you to trace system calls and events. It uses the auditd subsystem to capture and log system calls made by a process. It’s typically used for monitoring the activity of specific programs or system processes.
Common Use of autrace:
Trace a Specific Program's System Calls:
bashCopysudo autrace <command>Example:
bashCopysudo autrace lsExplanation: This runs the
lscommand while tracing the system calls it makes and logs them withauditd.
Trace All Syscalls by a Program:
bashCopysudo autrace -p <PID>Explanation: This will trace all syscalls made by a process with the specified PID.
Last updated