Translate

Archives

GNU/Linux Auditing

The term auditing has multiple meanings within the domain of information security. For example, a security audit is a term used to describe the process of evaluating the security posture of an organization through penetration testing (pen testing), formal review of security policies, systems and networks.

At an individual system level, auditing refers to the logging of some or all of the actions of users and/or applications. It is passive security in that it only detects violations of security policy, but does not enforce it. It performs a similar role to that of network and host-based intrusion detection systems (IDS).

Auditing has been built into the Linux kernel since the release of the 2.6 kernel. The Linux Auditing Subsystem (LAuS) was developed by IBM and Novell/SUSE to meet CAPP (Controlled Access Protection Profile) compliance and to “make Linux more secure and to attain the Common Criteria EAL4 certificate.” Being a part of the kernel also has the advantage of lower overhead and being far more difficult to bypass except possibly with a rootkit.

At its most basic level, the auditing subsystem can monitor all system calls (events) made to the kernel. As the kernel provides the lowest-level access to system resources, every application must make more or more system calls, either directly or indirectly, when executed. The userspace audit daemon (/sbin/auditd) is responsible for writing the audit events to the audit log file which, in Fedora, is at /var/log/audit/audit.log. The audit daemon adds events to the audit log file as they occur. Audit logs can be configured to rotate. The audit daemon can also be configured to send audit events to a remote audit logging server. You must be root to manipulate audit files.

There are three types of audit rules:

  • system call auditing.
  • file and directory watch.
  • audit system configuration.

At this stage a few simple examples might help you more easily understand the role of how the auditing works. All examples are based on recent releases of Fedora and Centos. Your mileage may vary on other distributions such as Ubuntu or Suse.

Suppose you wish to monitor (audit) all access to the password file /etc/passwd. As root enter the following command:

# auditctl -w /etc/passwd -k password-file -p war


where

  • -w /etc/passwd: Insert a watch for the file system object at specified path (watch file).
  • -p war: Set a permissions filter for the watch file. (r – read, w – write, x – execute, a – append).
  • -k password-file: Set a filterkey (string , max 31 bytes) on the watch file.

The filterkey is a string of text up to 31 bytes long. It can uniquely identify the audit records produced by the watch. You will need to use filter key when searching audit logs. After this command is executed auditd is watching, i.e. monitoring, the file /etc/passwd for anything or anyone that might perform a read, write or append operation on the file. By the way, pathname globbing is not supported; a full pathname must always be specified.

If you deem it prudent to audit /etc/passwd, you also really should audit /etc/shadow. As root enter the following command:

# auditctl -w /etc/shadow -k shadow-file -p warx


The configuration file for the audit daemon (/sbin/auditd) is /etc/audit/auditd.conf. The default contents of this file on Fedora are:

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key


As you can see, auditing is simply suspended in a number of cases (disk full, disk_error, and low disk space) but to reduce that possibility warnings are send to syslog when the disk space is less than 75 Mb and mailed to root when the disk space is less than 50Mb.

Here is the default contents of /etc/audit.rules:


 This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page


As you can see Fedora comes with no default rules. if you wanted to add the two rules we used above to monitor /etc/passwd and /etc/shadow to this file in order to survive a reboot, here are the appropriate lines to add:

-w /etc/passwd -k password-file -p war
-w /etc/shadow -k shadow-file -p warx


So now that auditing is enabled for the two password files of interest to us, how do we create and view a report about any auditing events that occurred on this two files? Two CLI tools are provided to parse audit log files. ausearch searches the audit log(s) based upon specified criteria and returns any audit log entries matching those criteria. aureport produces reports on events of interest. You can also develop custom tools using the Audit Event Parsing Library (libaudit) to parse audit events.

Here is an example of using ausearch to check who accessed /etc/passwd:

# ausearch -f /etc/passed
time->Sat Jun 26 22:45:26 2008
type=PATH msg=audit(1277606726.480:120): item=0 name="/etc/passwd" inode=2536140 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1277606726.480:120):  cwd="/home/mpfj"
type=SYSCALL msg=audit(1277606726.480:120): arch=c000003e syscall=2 success=yes exit=3 a0=7fff95dea57d a1=0 a2=619448 a3=1 items=1 ppid=3853 pid=3918 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="grep" exe="/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="password-file"
----
time->Sat Jun 26 22:45:33 2008
type=PATH msg=audit(1277606733.422:121): item=0 name="/etc/passwd" inode=2536140 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1277606733.422:121):  cwd="/home/mpfj"
type=SYSCALL msg=audit(1277606733.422:121): arch=c000003e syscall=191 success=yes exit=27 a0=407580 a1=3847815689 a2=a27050 a3=ff items=1 ppid=3853 pid=3919 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vipw" exe="/usr/sbin/vipw" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="password-file"


There are a number of options available for ausearch to convert output to a more readable format or to restrict the range of records. See the ausearch man page for details.

Here are examples of the output from aureport:

# aureport --summary
Summary Report
======================
Range of time in logs: 05/10/2008 11:04:35.579 - 06/27/2008 13:01:01.414
Selected time for report: 05/10/2010 11:04:35 - 06/27/2008 13:01:01.414
Number of changes in configuration: 97
Number of changes to accounts, groups, or roles: 24
Number of logins: 88
Number of failed logins: 2
Number of authentications: 426
Number of failed authentications: 9
Number of users: 3
Number of terminals: 16
Number of host names: 2
Number of executables: 31
Number of files: 2
Number of AVC's: 0
Number of MAC events: 231
Number of failed syscalls: 0
Number of anomaly events: 7
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 994
Number of events: 5031

# aureport -f
File Report
===============================================
# date time file syscall success exe auid event
===============================================
27. 06/26/2008 22:56:01 /etc/passwd 2 yes /usr/sbin/crond -1 146
28. 06/26/2008 22:56:01 /etc/passwd 2 yes /usr/sbin/crond -1 145
29. 06/26/2008 22:56:56 /etc/passwd 2 yes /lib64/dbus-1/dbus-daemon-launch-helper -1 148
30. 06/26/2008 22:56:56 /etc/passwd 2 yes /lib64/dbus-1/dbus-daemon-launch-helper -1 147
31. 06/26/2008 22:57:01 /etc/passwd 2 yes /usr/sbin/crond -1 150
32. 06/26/2008 22:57:01 /etc/passwd 2 yes /usr/sbin/crond -1 149
33. 06/26/2008 22:57:15 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-gl-helper 500 151
34. 06/26/2008 22:58:01 /etc/passwd 2 yes /usr/sbin/crond -1 152
35. 06/26/2008 22:58:01 /etc/passwd 2 yes /usr/sbin/crond -1 153
36. 06/26/2008 22:58:03 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 154
37. 06/26/2008 22:58:03 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 155
38. 06/26/2008 22:58:03 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 156
39. 06/26/2008 22:58:03 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 157
40. 06/26/2008 22:58:03 /etc/passwd 2 yes /lib64/dbus-1/dbus-daemon-launch-helper -1 158
41. 06/26/2008 22:58:03 /etc/passwd 2 yes /lib64/dbus-1/dbus-daemon-launch-helper -1 159
42. 06/26/2008 22:58:03 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 160
43. 06/26/2008 22:58:03 /etc/passwd 2 yes /sbin/unix_chkpwd 500 161
44. 06/26/2008 22:58:03 /etc/passwd 2 yes /sbin/unix_chkpwd 500 162
45. 06/26/2008 22:58:03 /etc/shadow 2 yes /sbin/unix_chkpwd 500 163
46. 06/26/2008 22:58:06 /etc/passwd 2 yes /sbin/unix_chkpwd 500 165
47. 06/26/2008 22:58:06 /etc/passwd 2 yes /sbin/unix_chkpwd 500 166
48. 06/26/2008 22:58:06 /etc/shadow 2 yes /sbin/unix_chkpwd 500 167
49. 06/26/2008 22:58:06 /etc/passwd 2 yes /usr/libexec/gnome-screensaver-dialog 500 169
50. 06/26/2008 22:58:06 /etc/passwd 2 yes /sbin/unix_chkpwd 500 170
51. 06/26/2008 22:58:06 /etc/passwd 2 yes /sbin/unix_chkpwd 500 171
52. 06/26/2008 22:58:06 /etc/shadow 2 yes /sbin/unix_chkpwd 500 172


Another interesting auditing tool which you should become familiar with is autrace.

# autrace /usr/bin/less /etc/yum.conf
Waiting to execute: /usr/bin/less
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 2916'
# ausearch -i -p 2916
type=SYSCALL msg=audit(06/27/2008 13:28:14.133:26003) : arch=x86_64 syscall=close success=yes exit=0 a0=3 a1=7fff0c7a8db0 a2=1 a3=fffffff3 items=0 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=autrace exe=/sbin/autrace subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PATH msg=audit(06/27/2008 13:28:14.133:26004) : item=1 name=(null) inode=1179655 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(06/27/2008 13:28:14.133:26004) : item=0 name=/usr/bin/less inode=2530563 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(06/27/2008 13:28:14.133:26004) :  cwd=/etc/audit
type=EXECVE msg=audit(06/27/2008 13:28:14.133:26004) : argc=(null) a0=/usr/bin/less a1=/etc/yum.conf
type=SYSCALL msg=audit(06/27/2008 13:28:14.133:26004) : arch=x86_64 syscall=execve success=yes exit=0 a0=7fff0c7a9552 a1=7fff0c7a8ee0 a2=7fff0c7a8ef8 a3=fffffff3 items=2 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=less exe=/usr/bin/less subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=SYSCALL msg=audit(06/27/2008 13:28:14.133:26005) : arch=x86_64 syscall=brk success=yes exit=38514688 a0=0 a1=401a20 a2=0 a3=64 items=0 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=less exe=/usr/bin/less subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=SYSCALL msg=audit(06/27/2008 13:28:14.133:26006) : arch=x86_64 syscall=mmap success=yes exit=-1193029632(Unknown error 1193029632) a0=0 a1=1000 a2=3 a3=22 items=0 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=less exe=/usr/bin/less subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----

# Note to readers. I removed many of the entries to reduce size of post.

type=SYSCALL msg=audit(06/27/2008 13:28:21.435:26426) : arch=x86_64 syscall=read success=yes exit=1 a0=3 a1=7fffaab81edf a2=1 a3=0 items=0 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=less exe=/usr/bin/less subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=SYSCALL msg=audit(06/27/2008 13:28:23.651:26427) : arch=x86_64 syscall=close success=yes exit=0 a0=4 a1=24c0720 a2=0 a3=623180 items=0 ppid=2914 pid=2916 auid=fpm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=less exe=/usr/bin/less subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
#


Well, that is about all there is to auditing. As you can see it is a very powerful mechanism for tracing events on a GNU/Linux system. The only major limitation that I can see is the fact that it cannot log individual shell commands. That can only be handled by adding auditing capabilities to individual shells. ksh93 already has good auditing capabilities but unfortunately bash has no such capabilities.
 

Comments are closed.