The Audit system operates on a set of rules that define what is to be captured in the log files. The following types of Audit rules can be specified:
- Control rules
Allow the Audit system's behavior and some of its configuration to be modified.
- File system rules
Also known as file watches, allow the auditing of access to a particular file or a directory.
- System call rules
Allow logging of system calls that any specified program makes.
Audit rules can be set:
on the command line using the auditctl utility. Note that these rules are not persistent across reboots. For details, see Section7.5.1, “Defining Audit Rules with auditctl”
in the
/etc/audit/audit.rulesfile. For details, see Section7.5.3, “Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File”
7.5.1.Defining Audit Rules with auditctl
The auditctl command allows you to control the basic functionality of the Audit system and to define rules that decide which Audit events are logged.
Note
All commands which interact with the Audit service and the Audit log files require root privileges. Ensure you execute these commands as the root user. Additionally, the CAP_AUDIT_CONTROL capability is required to set up audit services and the CAP_AUDIT_WRITE capabilityis required to log user messages.
Defining Control Rules
The following are some of the control rules that allow you to modify the behavior of the Audit system:
-bsets the maximum amount of existing Audit buffers in the kernel, for example:
~]#
auditctl -b 8192-fsets the action that is performed when a critical error is detected, for example:
~]#
auditctl -f 2The above configuration triggers a kernel panic in case of a critical error.
-eenables and disables the Audit system or locks its configuration, for example:
~]#
auditctl -e 2The above command locks the Audit configuration.
-rsets the rate of generated messages per second, for example:
See AlsoAuditing - Azure SQL Database and Azure Synapse AnalyticsEnable AUdit Logging in the Security and Compliance Center - Microsoft Q&AHow to Delete Auditing Data from the SQL DatabaseSQL Server Audit (Database Engine) - SQL Server~]#
auditctl -r 0The above configuration sets no rate limit on generated messages.
-sreports the status of the Audit system, for example:
~]#
auditctl -sAUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0 backlog_limit=8192 lost=259 backlog=0-llists all currently loaded Audit rules, for example:
~]#
auditctl -l-w /etc/passwd -p wa -k passwd_changes-w /etc/selinux -p wa -k selinux_changes-w /sbin/insmod -p x -k module_insertion⋮-Ddeletes all currently loaded Audit rules, for example:
~]#
auditctl -DNo rules
Defining File System Rules
To define a file system rule, use the following syntax:
auditctl -w path_to_file -p permissions -k key_name
where:
path_to_file is the file or directory that is audited.
permissions are the permissions that are logged:
r— read access to a file or a directory.w— write access to a file or a directory.x— execute access to a file or a directory.a— change in the file's or directory's attribute.
key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example7.1.File System Rules
To define a rule that logs all write access to, and every attribute change of, the /etc/passwd file, execute the following command:
~]#auditctl -w /etc/passwd -p wa -k passwd_changesNote that the string following the -k option is arbitrary.
To define a rule that logs all write access to, and every attribute change of, all the files in the /etc/selinux/ directory, execute the following command:
~]#auditctl -w /etc/selinux/ -p wa -k selinux_changesTo define a rule that logs the execution of the /sbin/insmod command, which inserts a module into the Linux kernel, execute the following command:
~]#auditctl -w /sbin/insmod -p x -k module_insertionDefining System Call Rules
To define a system call rule, use the following syntax:
auditctl -a action,filter -S system_call -F field=value -k key_name
where:
action and filter specify when a certain event is logged. action can be either
alwaysornever. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following:task,exit,user, andexclude. For more information about these filters, see the beginning of Section7.1, “Audit System Architecture”.system_call specifies the system call by its name. A list of all system calls can be found in the
/usr/include/asm/unistd_64.hfile. Several system calls can be grouped into one rule, each specified after its own-Soption.field=value specifies additional options that further modify the rule to match events based on a specified architecture, group ID, process ID, and others. For a full listing of all available field types and their values, see the auditctl(8) man page.
key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example7.2.System Call Rules
To define a rule that creates a log entry every time the adjtimex or settimeofday system calls are used by a program, and the system uses the 64-bit architecture, use the following command:
~]#auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_changeTo define a rule that creates a log entry every time a file is deleted or renamed by a system user whose ID is 1000 or larger, use the following command:
~]#auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k deleteNote that the -F auid!=4294967295 option is used to exclude users whose login UID is not set.
It is also possible to define a file system rule using the system call rule syntax. The following command creates a rule for system calls that is analogous to the -w /etc/shadow -p wa file system rule:
~]#auditctl -a always,exit -F path=/etc/shadow -F perm=wa7.5.2.Defining Executable File Rules
To define an executable file rule, use the following syntax:
auditctl -a action,filter [ -F arch=cpu -S system_call] -F exe=path_to_executable_file -k key_name
where:
action and filter specify when a certain event is logged. action can be either
alwaysornever. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following:task,exit,user, andexclude. For more information about these filters, see the beginning of Section7.1, “Audit System Architecture”.system_call specifies the system call by its name. A list of all system calls can be found in the
/usr/include/asm/unistd_64.hfile. Several system calls can be grouped into one rule, each specified after its own-Soption.path_to_executable_file is the absolute path to the executable file that is audited.
key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example7.3.Executable File Rules
To define a rule that logs all execution of the /bin/id program, execute the following command:
~]#auditctl -a always,exit -F exe=/bin/id -F arch=b64 -S execve -k execution_bin_id7.5.3.Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
To define Audit rules that are persistent across reboots, you must either directly include them in the /etc/audit/audit.rules file or use the augenrules program that reads rules located in the /etc/audit/rules.d/ directory. The /etc/audit/audit.rules file uses the same auditctl command line syntax to specify the rules. Empty lines and text following a hash sign (#) are ignored.
The auditctl command can also be used to read rules from a specified file using the -R option, for example:
~]#auditctl -R /usr/share/doc/audit/rules/30-stig.rulesDefining Control Rules
A file can contain only the following control rules that modify the behavior of the Audit system: -b, -D, -e, -f, -r, --loginuid-immutable, and --backlog_wait_time. For more information on these options, see the section called “Defining Control Rules”.
Example7.4.Control Rules in audit.rules
# Delete all previous rules-D# Set buffer size-b 8192# Make the configuration immutable -- reboot is required to change audit rules-e 2# Panic when a failure occurs-f 2# Generate at most 100 audit messages per second-r 100# Make login UID immutable once it is set (may break containers)--loginuid-immutable 1
Defining File System and System Call Rules
File system and system call rules are defined using the auditctl syntax. The examples in Section7.5.1, “Defining Audit Rules with auditctl” can be represented with the following rules file:
Example7.5.File System and System Call Rules in audit.rules
-w /etc/passwd -p wa -k passwd_changes-w /etc/selinux/ -p wa -k selinux_changes-w /sbin/insmod -p x -k module_insertion-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change-a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Preconfigured Rules Files
In the /usr/share/doc/audit/rules/ directory, the audit package provides a set of pre-configured rules files according to various certification standards:
30-nispom.rules— Audit rule configuration that meets the requirements specified in the Information System Security chapter of the National Industrial Security Program Operating Manual.30-pci-dss-v31.rules— Audit rule configuration that meets the requirements set by Payment Card Industry Data Security Standard (PCI DSS) v3.1.30-stig.rules— Audit rule configuration that meets the requirements set by SecurityTechnicalImplementationGuides (STIG).
To use these configuration files, create a backup of your original /etc/audit/audit.rules file and copy the configuration file of your choice over the /etc/audit/audit.rules file:
~]#cp /etc/audit/audit.rules /etc/audit/audit.rules_backup~]#cp /usr/share/doc/audit/rules/30-stig.rules /etc/audit/audit.rules
Note
The Audit rules have a numbering scheme that allows them to be ordered. To learn more about the naming scheme, see the /usr/share/doc/audit/rules/README-rules file.
Using augenrules to Define Persistent Rules
The augenrules script reads rules located in the /etc/audit/rules.d/ directory and compiles them into an audit.rules file. This script processes all files that ends in .rules in a specific order based on their natural sort order. The files in this directory are organized into groups with following meanings:
10 - Kernel and auditctl configuration
20 - Rules that could match general rules but you want a different match
30 - Main rules
40 - Optional rules
50 - Server-specific rules
70 - System local rules
90 - Finalize (immutable)
The rules are not meant to be used all at once. They are pieces of a policy that should be thought out and individual files copied to /etc/audit/rules.d/. For example, to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize.
Once you have the rules in the /etc/audit/rules.d/ directory, load them by running the augenrules script with the --load directive:
~]#augenrules --loadaugenrules --load No rulesenabled 1failure 1pid 634rate_limit 0backlog_limit 8192lost 0backlog 0enabled 1failure 1pid 634rate_limit 0backlog_limit 8192lost 0backlog 1For more information on the Audit rules and the augenrules script, see the audit.rules(8) and augenrules(8) man pages.
