auditd: a awesome tool for auditing

auditd: a awesome tool for auditing

Por emDebian, Linux, Segurança Tag , , , ,

Hello Debian-Users, whats going on?

Today we will talk about the Linux Auditing System or auditd, a powerful tool for auditing linux servers, i will show a fluxogram that explain how it works, and how are the working with the kernel, application, syscall and his entire behavior:

How it works behind the scenes?

the auditd/daemon scenario and how it works credits of this fluxogram: linuxfirewall.com.br

This will help you to:

  • For a better hardening you will need log everything
  • Generate entrys of log for events from system that are helpful
  • Usage of pre-configured rules
  • Proccess Monitor, showing syscall, cwd and users that are running it and more informations
  • Log alot of things, like logins, proccess, failed logins, success logins, date and time of an event
  • Make a association with event and a user that have done it and other things
  • see all modifications and how it happen, logins and much more
  • make a better and complete investigation/audit of the system and enforce the security of the system

Maybe you are searching something for hardening your system and because it you are at this post now, today we gonna will talk about the auditd tool, for auditing alot of things, trace processes, login faileds or suceeded, and logging alot of other things as a said before. That tool is very useful because it will record almost everything that is needed for an audit and you can write set rules for customize it for you.

The auditd is a part of Linux Auditing System and i will split this post in two parts general tools of auditd and AuReport utilities/facilities

Lets install it right now:

 $ yum install audit audispd-plugins audit-libs
O pacote audit-2.8.5-4.el7.x86_64 já está instalado em sua última versão
O pacote audispd-plugins-2.8.5-4.el7.x86_64 já está instalado em sua última versão
O pacote audit-libs-2.8.5-4.el7.x86_64 já está instalado em sua última versão

 

Now i will start his daemon and enable for start at the boot of OS:

sudo systemctl start auditd
sudo systemctl enable auditd

At this time, i alredy can see all things being recorded at the logs:

tail -f /var/log/audit/audit.log

Binaries:

auditd – daemon for catch events and store the logs
auditctl – Client tool for control
aureport – makes audit.log more human
ausearch – event viewer of auditd.log
autrace – uses components of kernel for trace binaries
aulast – uses a framework of audit for last log in and out users
aulastlog – very similar of lastlog
ausyscall – will map the id of an syscall
auvirt – audit for vms

  • audit.roles: used for the auditctl for read the rules that will be used
  • auditd.conf: main file of configuration

After installation no one roles are configured, so i can see the rules that i have enabled with:

 

$ auditctl -l
No rules

How you can see we not have any rules enabled.

Now i want create a rule that monitores the /etc/passwd for example. So i will set an “watch” at this file with the path absolute for it:

$ auditctl -a exit,always -F path=/etc/passwd -F perm=war
  • r- read
  • w – write
  • w – write
  • a – Attribute change

Now if you see again the rules that we have configured, alredy is on production

root@matrix # auditctl -a exit,always -F path=/etc/passwd -F perm=war
root@matrix # auditctl -l
-w /etc/passwd -p rwa

Now if i read or do something that matches with this rule i can read with the ausearch everything, you will see:

#before i read the /etc/passwd no any match was found
root@matrix  # ausearch -f /etc/passwd

root@matrix  # vim /etc/passwd
#after me read the /etc/passwd lets try again
root@matrix # ausearch -f /etc/passwd
----
time->Mon Nov 30 02:07:15 2020
type=PROCTITLE msg=audit(1606712835.807:1833): proctitle=76696D002F6574632F706173737764
type=PATH msg=audit(1606712835.807:1833): item=0 name="/etc/passwd" inode=4328109 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1606712835.807:1833): cwd="/home/igora/matrix"
type=SYSCALL msg=audit(1606712835.807:1833): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fe7fb7cd189 a2=80000 a3=0 items=1 ppid=9292 pid=427703 auid=1169758966 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="vim" exe="/usr/bin/vim.basic" key=(null)
----

On that log i can see for example

  • Time
  • file that are monitored
  • cwd that i was at that time
  • uid=0 gid etc
  • What executable/bin i was using /usr/bin/vim.basic
  • syscall number
  • alot of information that will help on audit time

Now we gonna talk about the autrace that i can monitore binaries/commands, that is very similar with the strace, before all, i will need clean the rules with:

$ auditctl -D

So now i wanna monitore the bin of /bin/ls for example, all executions of ls will be logged:

autrace /bin/ls
Waiting to execute: /bin/ls
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 429978'

Now i just try give a ls for record it and after i catch it with :

ausearch -i -p 429978
type=PROCTITLE msg=audit(30/11/2020 02:24:01.902:2200) : proctitle=autrace /bin/ls 
type=SYSCALL msg=audit(30/11/2020 02:24:01.902:2200) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0x3c a2=0x0 a3=0x6 items=0 ppid=429976 pid=429978 auid=igora uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=ls exe=/usr/bin/ls key=(null) 
 
# Alternative command that loads same thing:
ausearch --start recent -p 429978 -i
type=PROCTITLE msg=audit(30/11/2020 02:24:01.902:2200) : proctitle=autrace /bin/ls 
type=SYSCALL msg=audit(30/11/2020 02:24:01.902:2200) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0x3c a2=0x0 a3=0x6 items=0 ppid=429976 pid=429978 auid=igora uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=ls exe=/usr/bin/ls key=(null)

I can set it on /bin/ls iptables, python or whatever that i consider relevant

With the ausearch, i can get a sumary combinating ausearch + aureport from that last PID that we have runned for watch ls executions:

ausearch --start recent -p 429978 --raw | aureport --file --summary
 
File Summary Report
===========================
total  file
===========================
1  /bin/ls
1  /lib64/ld-linux-x86-64.so.2
1  /etc/ld.so.preload
1  /etc/ld.so.cache
1  /lib/x86_64-linux-gnu/libselinux.so.1
1  /lib/x86_64-linux-gnu/libc.so.6
1  /lib/x86_64-linux-gnu/libpcre2-8.so.0
1  /lib/x86_64-linux-gnu/libdl.so.2
1  /lib/x86_64-linux-gnu/libpthread.so.0
1  /sys/fs/selinux
1  /selinux
1  /proc/filesystems
1  /etc/selinux/config
1  /usr/lib/locale/locale-archive
1  .

AuReport command facilities and utilities

I can see too the shared libraries and others that are a way that binaries do for execution.

Another good thing is that i can monitore all reports with aureport:

aureport -x
Executable Report
====================================
# date time exe term host auid event
====================================
1. 28/11/2020 23:35:03 /usr/lib/systemd/systemd ? ? -1 141
2. 28/11/2020 23:35:04 /usr/lib/systemd/systemd ? ? -1 142
3. 28/11/2020 23:35:04 /usr/lib/systemd/systemd ? ? -1 143
4. 28/11/2020 23:35:05 /usr/lib/systemd/systemd ? ? -1 144
5. 28/11/2020 23:36:49 /usr/bin/pkexec ? ? 1169758966 145
6. 28/11/2020 23:40:01 /usr/sbin/cron cron ? -1 146
7. 28/11/2020 23:40:01 /usr/sbin/cron cron ? -1 147
8. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 149
9. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 150
10. 28/11/2020 23:40:01 /usr/sbin/cron cron ? 0 151
11. 28/11/2020 23:40:11 /usr/lib/systemd/systemd ? ? -1 152
12. 28/11/2020 23:43:28 /usr/lib/systemd/systemd ? ? -1 153
13. 28/11/2020 23:43:38 /usr/lib/systemd/systemd ? ? -1 154
14. 28/11/2020 23:50:01 /usr/sbin/cron cron ? -1 155
15. 28/11/2020 23:50:01 /usr/sbin/cron cron ? -1 156
16. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 158
17. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 159
18. 28/11/2020 23:50:01 /usr/sbin/cron cron ? 0 160
19. 28/11/2020 23:50:23 /usr/lib/systemd/systemd ? ? -1 161
20. 28/11/2020 23:50:23 /usr/lib/systemd/systemd ? ? -1 162
21. 29/11/2020 00:00:01 /usr/sbin/cron cron ? -1 163
22. 29/11/2020 00:00:01 /usr/sbin/cron cron ? -1 164

Lets analyze my audit.log, when it start and when it finishing, saying date and time exactly:

aureport -t
 
Log Time Range Report
=====================
/var/log/audit/audit.log: 28/11/2020 23:35:03.713 - 30/11/2020 02:33:08.481

Now i wanna see all tried authentication:

aureport -au
 
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 30/11/2020 02:38:52 igora ? /dev/pts/1 /usr/bin/sudo no 2215
2. 30/11/2020 02:38:57 igora ? /dev/pts/1 /usr/bin/sudo no 2216
3. 30/11/2020 02:39:05 igora ? /dev/pts/1 /usr/bin/sudo yes 2218
4. 30/11/2020 02:39:05 root pts/1 /usr/bin/su yes 2223

Just wanna see for success login or failed logins just use –success or –failed:

root@matrix:/igora/# aureport -au --success

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 30/11/2020 02:39:05 igora ? /dev/pts/1 /usr/bin/sudo yes 2218
2. 30/11/2020 02:39:05 root pts/1 /usr/bin/su yes 2223
 
root@matrix:/igora/# aureport -au --failed

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 30/11/2020 02:38:52 igora ? /dev/pts/1 /usr/bin/sudo no 2215
2. 30/11/2020 02:38:57 igora ? /dev/pts/1 /usr/bin/sudo no 2216

The command bellow will show a summary of all failed events:

root@matrix:/igora/# aureport --failed

Failed Summary Report
======================
Range of time in logs: 31/12/1969 21:00:00.000 - 30/11/2020 02:40:01.993
Selected time for report: 31/12/1969 21:00:00 - 30/11/2020 02:40:01.993
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 2
Number of users: 2
Number of terminals: 4
Number of host names: 1
Number of executables: 5
Number of commands: 4
Number of files: 5
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 11
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 6
Number of events: 16

I can get too a time window using parameters time start as -ts and -te for time end, take a look below:

aureport -ts 28/11/2020 23:55:00 -te now --summary -i
 
Summary Report
======================
Range of time in logs: 28/11/2020 23:35:03.713 - 30/11/2020 02:40:01.993
Selected time for report: 28/11/2020 23:55:00 - 30/11/2020 02:46:28
Number of changes in configuration: 18
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 2
Number of users: 3
Number of terminals: 6
Number of host names: 2
Number of executables: 9
Number of commands: 6
Number of files: 17
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 11
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 262
Number of events: 2015

as you can see, i can use ‘now’ for says the end time is for the current date and time.

For more things and features you can see the man of aureport or others tools mentioned here

man aureport

Thanks and see you on the next post 😀

igorandrade

an IT & Infosec Expert, regex pro player and devops skills to made everything happens fast.

Deixe uma resposta