HOWTO configure the auditing of the system (auditd)

Introduction

The audit service is provided for system auditing. By default, this service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.

Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. Networks with high security level often have substantial auditing requirements and auditd can be configured to meet these requirements:

  • Ensure Auditing is Configured to Collect Certain System Events
  • Information on the Use of Print Command (unsuccessful and successful)
  • Startup and Shutdown Events (unsuccessful and successful)
  • Ensure the auditing software can record the following for each audit event:
    • When the event appears
    • Who initiated the event
    • Type of the event
    • Success or failure of the event
    • Origin of the request (example: terminal ID)
    • For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
  • Ensure daily of the audit logs
  • Ensure that the audit data files have restrictive permissions (at least 640).

Install the audit package

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. Use yum to install the package:

Command: installing the audit service
# yum install audit

Enable the auditd Service

Then to start automatically the auditd service at boot time, use the following command:

Command: autostarting the audit service
# chkconfig auditd on

By default, auditd logs only:

  • SELinux denials,
  • modifications to user accounts (useradd, passwd, etc),
  • login events,
  • sudo calls.

Log files are stored in /var/log/audit/audit.log. auditd rotates logs by size of 5MB with a retention of 4 files. it results by a maximum of 20MB of audit data in total, and auditd refuses to write entries when there is not enough space left of the file system to avoid the risk of audit data filling the file system and impacting other services. However, it is possible to lose audit data if the system is too loaded.

Configure data retention

Amount of data to retain

First of all is to determine the amount of audit data (in megabytes) that will be retained in each log file. Then edit the file /etc/audit/auditd.conf:

Command: editing /etc/audit/auditd.conf
# vi /etc/audit/auditd.conf

Add or modify the following line (where SIZE is the chosen amount of audit data in megabytes):

Config File: /etc/audit/auditd.conf
...
max_log_file = SIZE
...

Dedicated partition

Use a dedicated file system for log files. It is very simple to create such a partition or logical volume during system installation time. The file system should be larger than the maximum space which auditd will use, which is in fact the maximum size of each log file (max_log_file parameter) multiplied by the number of log files (num_logs parameter).

One the file system is created, add the following line into /etc/fstab (modify it to fit the system configuration):

Config File: /etc/fstab
...
/dev/vg/audit   /var/log/audit   ext3    defaults,noexec,nodev,nosuid     0 0
...

Mount the file system using the following command:

Command: mounting /var/log/audit
# mount /var/log/audit

Avoid the loose of audit data

If you don’t want to loose any audit data, it is possible to disable the machine when auditing cannot be performed, configure auditd to shutdown the system when the file system for auditing become low.

Edit /etc/audit/auditd.conf:

Command: editing /etc/audit/auditd.conf
# vi /etc/audit/auditd.conf

Add or modify the following lines:

Config File: /etc/audit/auditd.conf
...
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
...

The default action to take when the logs reach their maximum size is to rotate them, deleting the oldest one. If it is more important to retain all possible auditing information, even if it opens the possibility of filling completely the file system and taking the action defined by admin_space_left_action, add or modify the line:

Config File: /etc/audit/auditd.conf
...
max_log_file_action = keep_logs
...

Enable auditing for processes starting before the auditd service

Each process on the system has an auditable flag which indicates whether its activities can be audited. auditd takes care of enabling it for all processes which launch after it does, adding a kernel argument ensures that it is set for every process during boot.

To ensure that all processes can be audited, add the argument audit=1 to the kernel line in /etc/grub.conf:

Config File: /etc/grub.conf
...
kernel /vmlinuz-VERSION ro vga=ext root=/dev/vg/root rhgb quiet audit=1
...

Configure comprehensive auditing rules

The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing but should not be considered as a complete guide.

The audit subsystem supports extensive collection of events, including:

  • Tracing of arbitrary system calls (identified by name or number) on entry or exit.
  • Filtering by PID, UID, call success, system call argument (with some limitations), etc.
  • Monitoring of specific files for modifications to the file’s contents or metadata.

Auditing rules are controlled in the file /etc/audit/audit.rules. All the lines in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested as such. See documentation in /usr/share/doc/audit-VERSION and in the man pages for more details.

Recommended audit rules are provided in the template /usr/share/doc/audit-VERSION/stig.rules. To activate those rules copy them to auditd configuration directory:

Command: copying recommended audit rules
# cp /usr/share/doc/audit-VERSION/stig.rules /etc/audit/audit.rules

Then edit /etc/audit/audit.rules and comment out the lines containing arch= which are not appropriate. Then review the other rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, activate them using the following command:

Command: restarting the auditd service
# service auditd restart

Records events that modify time information

Add the following lines to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=ARCH -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
...

Record events that modify account information

Add the following to /etc/audit/audit.rules to audit events that modify account changes:

Config File: /etc/audit/audit.rules
...
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
...

Record events that modify the network configuration

Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
...

Record events that modify the SElinux configuration

Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /etc/selinux/ -p wa -k MAC-policy
...

Record logon and logout Events

The audit system should collect login info for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
...

Record process and session initiation information

The audit system should collect process information for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
...

Record discretionary access control permission modification events

The audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
...

Record unauthorized access attempts to files (unsuccessful)

The audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
...

Record the use of privileged commands

The audit system should record the execution of privileged commands for all users and root. This requires adding an audit rule to watch execution of each setuid or setgid program.

Run the following command for each local file system to generate rules, one for each setuid or setgid program:

Command: finding files with setuid or setgid
# find FS -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'

Next, add those lines to /etc/audit/audit.rules.

Record information on exporting to Media (successful)

The audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
...

Record files deletion events by User (successful and unsuccessful)

The audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, replace ARCH to b32 or b64 to fit the system:

Config File: /etc/audit/audit.rules
...
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
...

Record system administrator actions

The audit system should collect system administrator actions for all users and root. Add the following to /etc/audit/audit.rules:

Config File: /etc/audit/audit.rules
...
-w /etc/sudoers -p wa -k actions
...

Record information on kernel module loading and unloading

Add the following to /etc/audit/audit.rules to capture kernel module loading and unloading events:

Config File: /etc/audit/audit.rules
...
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
...

Make the auditd Configuration Immutable

Add the following as the last rule in /etc/audit/audit.rules to make the configuration immutable:

Config File: /etc/audit/audit.rules
...
-e 2
...

After setting this rule, a reboot will be required to change any of the audit rules.

Using aureport

Use the command aureport to design a short series of audit reporting commands suitable for exploring the audit logs on a regular basis. These commands can be added as a cron job by placing an appropriately named file in /etc/cron.daily.

For example, to generate a daily report of every user to login to the machine, the following command could be run from cron:

Command: displaying a report of every user to login to the machine
# aureport -l -i -ts yesterday -te today

To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit rules have been triggering:

Command: reviewing all audited activity for unusual behavior
# aureport --key --summary

If access violations stand out, review them with:

Command: reviewing access violations
# ausearch --key access --raw | aureport --file --summary

To review what executables are doing:

Command: reviewing what executables are doing
# ausearch --key access --raw | aureport -x --summary

If access violations have been occurring on a particular file (such as /etc/shadow), use the following command to determine which user is doing this:

Command: reviewing access violations on /etc/shadow
# ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i

Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login failure limits being reached) using:

Command: reviewing anomalous activity
# aureport --anomaly

Links

发表评论