The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system.
Linux audit helps make your system more secure by providing you with means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them.
The audit framework works by listening to the event reported by the kernel and logging them to a log file.
Note: Audit framework compatibility with containers was fixed in Linux 3.15, see [1], however interpreting audit records may be difficult as support for namespace ID is still work in progress, see [2].
Installation
In-kernel audit support is available in all officially supported kernels. For custom kernels CONFIG_AUDIT should be enabled. Userspace support is provided by the audit package that is already installed as a dependency of base packages.
Audit can be enabled at boot-time by setting audit=1 as kernel parameter. This will ensure that all processes that run before the audit daemon starts are marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit. See auditd(8).
Note: In order to disable audit completely and suppress audit messages from appearing in journal you may set audit=0 as kernel parameter and/or mask systemd-journald-audit.socket.
Audit framework is composed of the auditd daemon, responsible for writing the audit messages that were generated through the audit kernel interface and triggered by application and system activity. Start/enable auditd.service to activate the daemon.
This daemon can be controlled by several commands and files:
- auditctl(8): to control the behavior of the daemon on the fly, adding rules etc.
/etc/audit/audit.rules: contains the rules and various parameters of the auditd daemon. See audit.rules(7) for details.- aureport(8): generate report of the activity on a system
- ausearch(8): search for various events
- auditspd: the daemon which can be used to relay event notifications to other applications instead of writing them to disk in the audit log
- autrace: this command can be used to trace a process, in a similar way as strace.
/etc/audit/auditd.conf: configuration file related to the logging. See auditd.conf(5) for details.
Adding rules
Before adding rules, you must know that the audit framework can be very verbose and that each rule must be carefully tested before being effectively deployed. Indeed, just one rule can flood all your logs within a few minutes.
Audit files and directories access
The most basic use of the audit framework is to log the access to the files you want.To do this, you must use a watch -w to a file or a directory.The most basic rule to set up is to track accesses to the passwd file:
# auditctl -w /etc/passwd -p rwxa
You can track access to a folder with:
# auditctl -w /etc/security/
The first rule keeps track of every read r , write w , execution x , attribute change a to the file /etc/passwd.The second one keeps track of any access to the /etc/security/ folder.
You can list all active rules with:
# auditctl -l
You can delete all rules with:
# auditctl -D
Once you validate the rules, you can append them to the /etc/audit/audit.rules file:
-w /etc/passwd -p rwxa-w /etc/security/
Audit syscalls
The audit framework allows you to audit the syscalls performed with the -a option.
A security related rule is to track the chmod(2) syscall, to detect file ownership changes:
# auditctl -a exit,always -S chmod
For a list of all syscalls: syscalls(2)
A lot of rules and possibilities are available, see auditctl(8) and audit.rules(7).
Filter unwanted messages
In order to prevent noisy audit messages from flooding system logs you may add rules to exclude some of them:
/etc/audit/rules.d/quiet.rules
-A exclude,always -F msgtype=SERVICE_START-A exclude,always -F msgtype=SERVICE_STOP-A exclude,always -F msgtype=BPF-A exclude,always -F exe=/usr/bin/sudo
Remember to verify changes (fix as necessary) and regenerate /etc/audit/audit.rules as follows:
# augenrules --check# augenrules --load
Search the logs
The audit framework provides some tools to ease the use and the research of events happening on a system.
Using pid
You can search events related to a particular pid using ausearch:
# ausearch -p 1
This command will show you all the events logged according to your rules related to PID 1 (i.e. systemd).
Using keys
One of the great features of the audit framework is its ability to use keys to manage events, such a usage is recommended.
You can use the -k option in your rules to be able to find related events easily:
# auditctl -w /etc/passwd -p rwxa -k KEY_pwd
Then, if you search for events with the key KEY_pwd, ausearch will display only event related to the file /etc/passwd.
# ausearch -k KEY_pwd
Look for abnormalities
The aureport tool can be used to quickly report any abnormal event performed on the system, it includes network interfaces used in promiscous mode, process or thread crashing or exiting with ENOMEM error etc.
The easiest way to use aureport is:
# aureport -n
aureport can be used to generate custom reports, see aureport(8).
Which files or syscalls are worth-auditing?
Keep in mind that each audit rule added will generate logs, so you must be ready to treat this amount of information.Basically, each security-related event/file must be monitored, like ids, ips, anti-rootkits etc.On the other side, it is totally useless to track every write syscall, the smallest compilation will fill your logs with this event.
More complex set of rules can be set up, performing auditing on a very fine-grained base. If you want to do so, see auditctl(8).
Gather logs from different hosts
The audit framework has a plugin system which provides the possibility to send local logfiles to a remote auditd.
Send logfiles
To send your logfiles to a remote host you need the audisp-remote plugin which comes automatically with the audit package.Activate the plugin:
/etc/audisp/plugins.d/au-remote.conf
active = yesdirection = outpath = /usr/bin/audisp-remotetype = alwaysformat = string
and set the remote host where the logs should be send to:
/etc/audisp/audisp-remote.conf
remote_server = domain.name.or.ipport = 60##local_port = optionaltransport = tcp
Receive logfiles
To make audit listen for remote audispds you just need to set the tcp options:
/etc/audit/auditd.conf
tcp_listen_port = 60tcp_listen_queue = 5tcp_max_per_addr = 1##tcp_client_ports = 1024-65535 #optionaltcp_client_max_idle = 0
Now you can view the logs of all configured hosts in the logfiles of the receiving auditd.
Rotate the logs
Send SIGUSR1 to the audit daemon:
# pkill -USR1 -x auditd
Troubleshooting
Audit logs flooding into virtual console
For users not having enabled auditd, using kernel debug messages higher than loglevel=4 can result in audit flooding security notices on top of virtual terminal.
These messages can be silenced by enabling auditd.service.
Alternative solutions are:
- lowering your loglevel,
- disabling audit logs with the kernel parameter
audit=0.
See the systemd issue 15324 on GitHub for the details.
