auditd: a awesome tool for auditing
Hello Debian-Users, whats going on?
Today we will talk about the Linux Auditing System or auditd, a powerful tool for auditing linux servers, i will show a fluxogram that explain how it works, and how are the working with the kernel, application, syscall and his entire behavior:
How it works behind the scenes?
the auditd/daemon scenario and how it works credits of this fluxogram: linuxfirewall.com.br
This will help you to:
- For a better hardening you will need log everything
- Generate entrys of log for events from system that are helpful
- Usage of pre-configured rules
- Proccess Monitor, showing syscall, cwd and users that are running it and more informations
- Log alot of things, like logins, proccess, failed logins, success logins, date and time of an event
- Make a association with event and a user that have done it and other things
- see all modifications and how it happen, logins and much more
- make a better and complete investigation/audit of the system and enforce the security of the system
Maybe you are searching something for hardening your system and because it you are at this post now, today we gonna will talk about the auditd tool, for auditing alot of things, trace processes, login faileds or suceeded, and logging alot of other things as a said before. That tool is very useful because it will record almost everything that is needed for an audit and you can write set rules for customize it for you.
The auditd is a part of Linux Auditing System and i will split this post in two parts general tools of auditd and AuReport utilities/facilities
Lets install it right now:
$ yum install audit audispd-plugins audit-libs O pacote audit-2.8.5-4.el7.x86_64 já está instalado em sua última versão O pacote audispd-plugins-2.8.5-4.el7.x86_64 já está instalado em sua última versão O pacote audit-libs-2.8.5-4.el7.x86_64 já está instalado em sua última versão |
Now i will start his daemon and enable for start at the boot of OS:
sudo systemctl start auditd sudo systemctl enable auditd |
At this time, i alredy can see all things being recorded at the logs:
tail -f /var/log/audit/audit.log |
Binaries:
auditd – daemon for catch events and store the logs
auditctl – Client tool for control
aureport – makes audit.log more human
ausearch – event viewer of auditd.log
autrace – uses components of kernel for trace binaries
aulast – uses a framework of audit for last log in and out users
aulastlog – very similar of lastlog
ausyscall – will map the id of an syscall
auvirt – audit for vms
- audit.roles: used for the auditctl for read the rules that will be used
- auditd.conf: main file of configuration
After installation no one roles are configured, so i can see the rules that i have enabled with:
$ auditctl -l
No rules |
How you can see we not have any rules enabled.
Now i want create a rule that monitores the /etc/passwd for example. So i will set an “watch” at this file with the path absolute for it:
$ auditctl -a exit,always -F path=/etc/passwd -F perm=war |
- r- read
- w – write
- w – write
- a – Attribute change
Now if you see again the rules that we have configured, alredy is on production
root@matrix # auditctl -a exit,always -F path=/etc/passwd -F perm=war root@matrix # auditctl -l -w /etc/passwd -p rwa |
Now if i read or do something that matches with this rule i can read with the ausearch everything, you will see:
#before i read the /etc/passwd no any match was found root@matrix # ausearch -f /etc/passwd root@matrix # vim /etc/passwd #after me read the /etc/passwd lets try again root@matrix # ausearch -f /etc/passwd ---- time->Mon Nov 30 02:07:15 2020 type=PROCTITLE msg=audit(1606712835.807:1833): proctitle=76696D002F6574632F706173737764 type=PATH msg=audit(1606712835.807:1833): item=0 name="/etc/passwd" inode=4328109 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606712835.807:1833): cwd="/home/igora/matrix" type=SYSCALL msg=audit(1606712835.807:1833): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fe7fb7cd189 a2=80000 a3=0 items=1 ppid=9292 pid=427703 auid=1169758966 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="vim" exe="/usr/bin/vim.basic" key=(null) ---- |
On that log i can see for example
- Time
- file that are monitored
- cwd that i was at that time
- uid=0 gid etc
- What executable/bin i was using /usr/bin/vim.basic
- syscall number
- alot of information that will help on audit time
Now we gonna talk about the autrace that i can monitore binaries/commands, that is very similar with the strace, before all, i will need clean the rules with:
$ auditctl -D |
So now i wanna monitore the bin of /bin/ls for example, all executions of ls will be logged:
autrace /bin/ls Waiting to execute: /bin/ls Cleaning up... Trace complete. You can locate the records with 'ausearch -i -p 429978' |
Now i just try give a ls for record it and after i catch it with :
ausearch -i -p 429978 type=PROCTITLE msg=audit(30/11/2020 02:24:01.902:2200) : proctitle=autrace /bin/ls type=SYSCALL msg=audit(30/11/2020 02:24:01.902:2200) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0x3c a2=0x0 a3=0x6 items=0 ppid=429976 pid=429978 auid=igora uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=ls exe=/usr/bin/ls key=(null) # Alternative command that loads same thing: ausearch --start recent -p 429978 -i type=PROCTITLE msg=audit(30/11/2020 02:24:01.902:2200) : proctitle=autrace /bin/ls type=SYSCALL msg=audit(30/11/2020 02:24:01.902:2200) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0x3c a2=0x0 a3=0x6 items=0 ppid=429976 pid=429978 auid=igora uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=ls exe=/usr/bin/ls key=(null) |
I can set it on /bin/ls iptables, python or whatever that i consider relevant
With the ausearch, i can get a sumary combinating ausearch + aureport from that last PID that we have runned for watch ls executions:
ausearch --start recent -p 429978 --raw | aureport --file --summary File Summary Report =========================== total file =========================== 1 /bin/ls 1 /lib64/ld-linux-x86-64.so.2 1 /etc/ld.so.preload 1 /etc/ld.so.cache 1 /lib/x86_64-linux-gnu/libselinux.so.1 1 /lib/x86_64-linux-gnu/libc.so.6 1 /lib/x86_64-linux-gnu/libpcre2-8.so.0 1 /lib/x86_64-linux-gnu/libdl.so.2 1 /lib/x86_64-linux-gnu/libpthread.so.0 1 /sys/fs/selinux 1 /selinux 1 /proc/filesystems 1 /etc/selinux/config 1 /usr/lib/locale/locale-archive 1 . |
AuReport command facilities and utilities
I can see too the shared libraries and others that are a way that binaries do for execution.
Another good thing is that i can monitore all reports with aureport:
aureport -x Executable Report ==================================== # date time exe term host auid event ==================================== 1. 28/11/2020 23:35:03 /usr/lib/systemd/systemd ? ? -1 141 2. 28/11/2020 23:35:04 /usr/lib/systemd/systemd ? ? -1 142 3. 28/11/2020 23:35:04 /usr/lib/systemd/systemd ? ? -1 143 4. 28/11/2020 23:35:05 /usr/lib/systemd/systemd ? ? -1 144 5. 28/11/2020 23:36:49 /usr/bin/pkexec ? ? 1169758966 145 6. 28/11/2020 23:40:01 /usr/sbin/cron cron ? -1 146 7. 28/11/2020 23:40:01 /usr/sbin/cron cron ? -1 147 8. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 149 9. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 150 10. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 151 11. 28/11/2020 23:40:11 /usr/lib/systemd/systemd ? ? -1 152 12. 28/11/2020 23:43:28 /usr/lib/systemd/systemd ? ? -1 153 13. 28/11/2020 23:43:38 /usr/lib/systemd/systemd ? ? -1 154 14. 28/11/2020 23:50:01 /usr/sbin/cron cron ? -1 155 15. 28/11/2020 23:50:01 /usr/sbin/cron cron ? -1 156 16. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 158 17. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 159 18. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 160 19. 28/11/2020 23:50:23 /usr/lib/systemd/systemd ? ? -1 161 20. 28/11/2020 23:50:23 /usr/lib/systemd/systemd ? ? -1 162 21. 29/11/2020 00:00:01 /usr/sbin/cron cron ? -1 163 22. 29/11/2020 00:00:01 /usr/sbin/cron cron ? -1 164 |
Lets analyze my audit.log, when it start and when it finishing, saying date and time exactly:
aureport -t Log Time Range Report ===================== /var/log/audit/audit.log: 28/11/2020 23:35:03.713 - 30/11/2020 02:33:08.481 |
Now i wanna see all tried authentication:
aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 30/11/2020 02:38:52 igora ? /dev/pts/1 /usr/bin/sudo no 2215 2. 30/11/2020 02:38:57 igora ? /dev/pts/1 /usr/bin/sudo no 2216 3. 30/11/2020 02:39:05 igora ? /dev/pts/1 /usr/bin/sudo yes 2218 4. 30/11/2020 02:39:05 root pts/1 /usr/bin/su yes 2223 |
Just wanna see for success login or failed logins just use –success or –failed:
root@matrix:/igora/# aureport -au --success Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 30/11/2020 02:39:05 igora ? /dev/pts/1 /usr/bin/sudo yes 2218 2. 30/11/2020 02:39:05 root pts/1 /usr/bin/su yes 2223 root@matrix:/igora/# aureport -au --failed Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 30/11/2020 02:38:52 igora ? /dev/pts/1 /usr/bin/sudo no 2215 2. 30/11/2020 02:38:57 igora ? /dev/pts/1 /usr/bin/sudo no 2216 |
The command bellow will show a summary of all failed events:
root@matrix:/igora/# aureport --failed Failed Summary Report ====================== Range of time in logs: 31/12/1969 21:00:00.000 - 30/11/2020 02:40:01.993 Selected time for report: 31/12/1969 21:00:00 - 30/11/2020 02:40:01.993 Number of changes in configuration: 0 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of authentications: 0 Number of failed authentications: 2 Number of users: 2 Number of terminals: 4 Number of host names: 1 Number of executables: 5 Number of commands: 4 Number of files: 5 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 11 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 6 Number of events: 16 |
I can get too a time window using parameters time start as -ts and -te for time end, take a look below:
aureport -ts 28/11/2020 23:55:00 -te now --summary -i Summary Report ====================== Range of time in logs: 28/11/2020 23:35:03.713 - 30/11/2020 02:40:01.993 Selected time for report: 28/11/2020 23:55:00 - 30/11/2020 02:46:28 Number of changes in configuration: 18 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of authentications: 2 Number of failed authentications: 2 Number of users: 3 Number of terminals: 6 Number of host names: 2 Number of executables: 9 Number of commands: 6 Number of files: 17 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 11 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 262 Number of events: 2015 |
as you can see, i can use ‘now’ for says the end time is for the current date and time.
For more things and features you can see the man of aureport or others tools mentioned here
man aureport |
Thanks and see you on the next post 😀
Deixe uma resposta