SYSTEM AUDITING WITH AUDIT DAEMON (AUDITD)
- Layout for this exercise:
1 - Introduction to AuditD
- The Linux Audit Daemon (AuditD) is a framework to allow security auditing events on a Linux system by keeping record of system events and also reporting capabilities.
- auditD can track many event types to monitor and audit the system. For instance:
- audit file access and modification
- see who changed a particular file
- detect unauthorized changes
- monitoring of system calls and functions
- detect anomalies like crashing processes
- set tripwires for intrusion detection purposes
- record commands used by individual users
- auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk.
- Viewing the logs is done with the ausearch or aureport utilities. Finding the related event or access to the file can be quickly traced by using the ausearch tool.
- The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.
- Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl.
- Configuring options for auditctl:
-f: leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.
-l: allow the audit daemon to follow symlinks for config files.
-n: no fork. This is useful for running off of inittab
-s=ENABLE_STATE: specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange".
- By defining the path option, we instruct the audit framework what directory or file to watch for.
- The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two.
- The four options are:
r = read
w = write
x = execute
a = attribute change
2 - Installing and configuring auditd
- Installing auditd and related plugins and dependencies:
- Manual for auditd:
- Checking that auditd service is active:
- At this initial moment there is no rule added to auditd:
3 - Adding a rule for /etc folder configuration
- Adding the rule (-w=write over /etc with parameters read, write, execute, attribute change):
- Listing the rule:
- Now, let's modify the /etc folder by creating a new text file:
- ausearch is a tool that queries the auditd logs based on events. In this case, the parameter (-f /etc/) indicates to search for an event based on the given filename (-f):
- The user id corresponds to the root:
4 - Making rules permanent after restarting auditd service
- One of the issues with auditctl is that changes to rules are not permanent and will go away whenever the audit service is restarted.
- To avoid this circumstance the file /etc/audit/rules.d/audit.rules must be edited.
- Restarting the service:
- Now the rule is gone after the restart:
- Editing the audit.rules configuration file by adding a rule:
- Restarting the service auditd:
- However, now the rule is still there:
5 - Adding a rule for the SSH service
- Adding a new rule for the SSH service:
- Listing the current rules:
- Editing the SSH configuration file, the current permission root login is set to "yes":
- Replacing the PermitRootLogin directive value to "no":
- Searching with ausearch the command nano used over the sshd_configuration file is found:
- As expected the user ID corresponds to the root:
