└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Auditd - The Linux Auditing System 2 | The Linux Auditing system has been widely adopted as a way to meet auditing standards and aid forensics investigations. Combined with a Host Intrusion Detection System, Auditd can be used for more than just forensics, it can be used to help find intrusion attempts and successful attacks. This repository aims to be a collection of examples, guidance and background information to help an administrator or security engineer deploy auditd in a detection capacity. 3 | 4 | ## Configuring Auditd 5 | 6 | ###/etc/audit/auditd.conf 7 | 8 | Settings in auditd.conf should be defined based on the importance of log integrity and how long you would like to keep records. 9 | 10 | Here are the options that manage log rotation: 11 | 12 | ```bash 13 | flush = INCREMENTAL 14 | freq = 20 15 | num_logs = 5 16 | disp_qos = lossy 17 | dispatcher = /sbin/audispd 18 | name_format = NONE 19 | ##name = mydomain 20 | max_log_file = 6 21 | max_log_file_action = ROTATE 22 | space_left = 75 23 | ``` 24 | 25 | The "_action" options determine how errors or disk space issues should be handled: 26 | 27 | ```bash 28 | admin_space_left_action = SUSPEND 29 | disk_full_action = SUSPEND 30 | disk_error_action = SUSPEND 31 | ``` 32 | 33 | ###/etc/audit/audit.rules 34 | 35 | Example rule sets for most Linux distributions are stored in ```/usr/share/doc/auditd/examples``` 36 | 37 | This contains all of the rules that are loaded when the system starts, most audit.rules files start with the following control rules: 38 | 39 | ```bash 40 | ## First rule - delete all 41 | -D 42 | 43 | ## Increase the buffers to survive stress events. 44 | ## Make this bigger for busy systems 45 | -b 8192 46 | 47 | ## Set failure mode to panic 48 | -f 2 49 | 50 | ``` 51 | 52 | Followed by the audit rules: 53 | 54 | ```bash 55 | -a exit,always -S unlink -S rmdir 56 | -a exit,always -S stime.* 57 | -a exit,always -S setrlimit.* 58 | -w /etc/group -p wa 59 | -w /etc/passwd -p wa 60 | -w /etc/shadow -p wa 61 | -w /etc/sudoers -p wa 62 | ``` 63 | 64 | The audit.rules file should end with the immutability settings: 65 | 66 | ```bash 67 | #Enable auditd 68 | -e 1 69 | 70 | #Make the configuration immutable, a reboot is required to change the configuration settings or rulesets. 71 | -e 2 72 | ``` 73 | 74 | Rules can be stored in '''/etc/audit/audit.rules''' or the ruleset can be changed while the daemon is running using the auditctl command. 75 | 76 | ##Rules 77 | “audit rules come in 3 varieties: control, file, and syscall” 78 | * Control - “configuring the audit system” 79 | * File - “audit access to particular files or directories” 80 | * Syscall - “loaded into a matching engine that intercepts each syscall” 81 | 82 | ###Options 83 | ``` 84 | -a action list: always log on syscall exit 85 | -F field 86 | -S syscall: execve 87 | -k Logging Key: programs 88 | ``` 89 | 90 | ###Sample Rules 91 | ```bash 92 | -a always,exit -F arch=b32 -F uid=33 -S execve -k programs -k www 93 | -a always,exit -F arch=b64 -F uid=33 -S execve -k programs -k www 94 | -a always,exit -F arch=b32 -C auid!=uid -S execve -k su_program -k programs 95 | -a always,exit -F arch=b64 -C auid!=uid -S execve -k su_program -k programs 96 | -a exit,always -S unlink -S rmdir 97 | -a exit,always -S stime.* 98 | -a exit,always -S setrlimit.* 99 | -w /var/www -p wa 100 | -w /etc/group -p wa 101 | -w /etc/passwd -p wa 102 | -w /etc/shadow -p wa 103 | -w /etc/sudoers -p wa 104 | ``` 105 | 106 | ##Commands 107 | ###auditd 108 | ```auditd -f``` - foreground auditd, messages go to stderr 109 | ```SIGHUP``` - Reconfigure Auditd, re-read configuration files 110 | 111 | "A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. " 112 | - [Auditd Man Page] [auditd_man] 113 | 114 | ###auditctl 115 | "auditctl program is used to control the behavior, get status, and add or delete rules into the 2.6 kernel’s audit system." 116 | 117 | ```auditctl - l``` - List current rule set 118 | 119 | ####Control Behavior 120 | * ```auditctl -e 0``` - Temporarily disable auditing 121 | * ```auditctl -e 1``` - Re-enable auditing 122 | * ```auditctl -e 2``` - Lock auditing to enabled, reboot to change configuration. 123 | * ```auditctl -f 0``` - Do not report critical errors 124 | * ```auditctl -f 1``` - Default, printk critical errors 125 | * ```auditctl -f 2``` - Panic on critical errors 126 | 127 | ####Manage Rules 128 | * ```auditctl -D``` - Clear all rules 129 | * ```auditctl -l``` - List ruleset 130 | * ```auditctl -w /file -p rwxa -k file_alert``` - Watch all actions on a file and label with file_alert 131 | * ```auditctl -a always,exit -F arch=b32 -F uid=www-data -S execve -k programs -k www``` - Log all commands executed by the www-data user and label with programs and www keywords 132 | 133 | ###ausearch 134 | 135 | * ```ausearch -a 104``` - Search for event id 104 136 | * ```ausearch --uid 0 --syscall EXECVE --success yes``` - Search for all programs executed by root that were successful 137 | * ```ausearch -ui 0 -sc EXECVE -sv yes``` - Search for all programs executed by root that were successful 138 | 139 | ###aureport 140 | 141 | * ```aureport --auth``` - Authentication Report 142 | * ```aureport --login --failed``` - Failed Login Report 143 | * ```aureport --file``` - File Report 144 | 145 | ### ausearch and aureport together 146 | Both ausearch and aureport are able to take in raw audit logs from STDIN, here is an example where we are looking at the executable report for a specific event: 147 | 148 | ``` 149 | sysadmin@server:~$ sudo ausearch --event 662 --raw | aureport --executable --interpret 150 | 151 | Executable Report 152 | ==================================== 153 | # date time exe term host auid event 154 | ==================================== 155 | 1. 07/27/2015 16:13:29 /usr/bin/whoami (none) ? unset 662 156 | ``` 157 | 158 | 159 | #Links 160 | 161 | ## Man Pages 162 | 163 | * auditd: [http://linux.die.net/man/8/auditd](http://linux.die.net/man/8/auditd) 164 | * auditctl: [http://linux.die.net/man/8/auditctl](http://linux.die.net/man/8/auditctl) 165 | * audit.rules: [audit.rules_man](http://linux.die.net/man/7/audit.rules) 166 | 167 | ## Intro to Auditd 168 | * [http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/](http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/) 169 | * [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-system_auditing.html](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-system_auditing.html) 170 | 171 | ## Reporting and Alerting 172 | 173 | * Splunk: [https://splunkbase.splunk.com/app/2642/](https://splunkbase.splunk.com/app/2642/) 174 | * Logstash Example: [https://gist.github.com/artbikes/2313040](https://gist.github.com/artbikes/2313040) 175 | * Logstash on serverfault: [http://serverfault.com/questions/609192/how-to-parse-audit-log-using-logstash](http://serverfault.com/questions/609192/how-to-parse-audit-log-using-logstash) 176 | * auditd Bro Framework: [https://github.com/set-element/auditdBroFramework](https://github.com/set-element/auditdBroFramework) 177 | * Ossec Decoder: [https://github.com/ossec/ossec-docs/blob/master/decoders/10_auditd_decoder.xml](https://github.com/ossec/ossec-docs/blob/master/decoders/10_auditd_decoder.xml) 178 | 179 | ## Presentations 180 | * Audit & IDS by Steve Grubb [http://people.redhat.com/sgrubb/audit/audit-ids.pdf](http://people.redhat.com/sgrubb/audit/audit-ids.pdf) 181 | 182 | ### Upcoming 183 | * "Looking for Ghosts in the Machine" By Scott Campbell for BroCon ‘15: [https://www.bro.org/brocon2015/brocon2015_abstracts.html#looking-for-ghosts-in-themachine](https://www.bro.org/brocon2015/brocon2015_abstracts.html#looking-for-ghosts-in-themachine) 184 | 185 | ##PCI-DSS 186 | * [http://linux-audit.com/category/compliance/pci-dss-compliance/](http://linux-audit.com/category/compliance/pci-dss-compliance/) 187 | * [http://networkrecipes.blogspot.com/2013/03/auditd-in-linux-for-pci-dss-compliance.html](http://networkrecipes.blogspot.com/2013/03/auditd-in-linux-for-pci-dss-compliance.html) 188 | 189 | ##CIS Benchmark 190 | * [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf](https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf) 191 | * [http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html](http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html) 192 | 193 | --------------------------------------------------------------------------------