Use Cases

Wat ching f ile access

Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d,

e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample , to de te ct acce s s to important file s and have an Audit trail available in cas e one of the s e file s is corrupte d.

Mo nit o ring syst em calls

Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time by monitoring the settimeofday, clock_adjtime, and othe r time -re late d s ys te m calls .

Reco rding co mmands run by a user

Be caus e Audit can track whe the r a file has be e n e xe cute d, a numbe r of rule s can be de fine d to re cord e ve ry e xe cution of a particular command. For e xample , a rule can be de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log e ntrie s can the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d commands pe r us e r.

Reco rding securit y event s

The pam_faillock authe ntication module is capable of re cording faile d login atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s additional information about the us e r who atte mpte d to log in.

Searching f o r event s

Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s and provide a comple te audit trail bas e d on a numbe r of conditions .

Running summary repo rt s

The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports of re corde d e ve nts . A s ys te m adminis trator can the n analyze the s e re ports and inve s tigate s us picious activity furthe rmore .

Mo nit o ring net wo rk access

The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts , allowing s ys te m adminis trators to monitor ne twork acce s s .

Note

Sys te m pe rformance may be affe cte d de pe nding on the amount of information that is colle cte d by Audit.

5.1. Audit Syst em Archit ect ure

The Audit s ys te m cons is ts of two main parts : the us e r-s pace applications and utilitie s , and the ke rne l-s ide s ys te m call proce s s ing. The ke rne l compone nt re ce ive s s ys te m calls from us e r-s pace applications and filte rs the m through one of the thre e filte rs : user, task, or exit.

Once a s ys te m call pas s e s through one of the s e filte rs , it is s e nt through the exclude filte r, which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for furthe r proce s s ing. Figure 5.1, “Audit s ys te m archite cture ” illus trate s this proce s s .

Figure 5.1. Audit syst em archit ect ure

The us e r-s pace Audit dae mon colle cts the information from the ke rne l and cre ate s log file e ntrie s in a log file . Othe r Audit us e r-s pace utilitie s inte ract with the Audit dae mon, the ke rne l Audit compone nt, or the Audit log file s :

audisp — the Audit dis patche r dae mon inte racts with the Audit dae mon and s e nds e ve nts to othe r applications for furthe r proce s s ing. The purpos e of this dae mon is to provide a plug-in me chanis m s o that re al-time analytical programs can inte ract with Audit e ve nts .

audit ct l — the Audit control utility inte racts with the ke rne l Audit compone nt to control a numbe r of s e ttings and parame te rs of the e ve nt ge ne ration proce s s .

The re maining Audit utilitie s take the conte nts of the Audit log file s as input and ge ne rate output bas e d on us e r's re quire me nts . For e xample , the aurepo rt utility ge ne rate s a re port of all re corde d e ve nts .

5.2. Inst alling t he audit Packages

In orde r to us e the Audit s ys te m, you mus t have the audit package s ins talle d on your s ys te m. The audit package s (audit and audit-libs) are ins talle d by de fault on Re d Hat Ente rpris e Linux 6. If you do not have the s e package s ins talle d, e xe cute the following command as the root us e r to ins tall the m:

~]# yum install audit

5.3. Configuring t he

Service

The Audit dae mon can be configure d in the /etc/audit/auditd.conf configuration file . This file cons is ts of configuration parame te rs that modify the be havior of the Audit dae mon. Any e mpty line s or any te xt following a has h s ign (#) is ignore d. A comple te lis ting of all configuration parame te rs and the ir e xplanation can be found in the

audit.conf(5) man page .

5.3.1. Configuring

for a CAPP Environment

The de fault auditd configuration s hould be s uitable for mos t e nvironme nts . Howe ve r, if your e nvironme nt has to me e t the crite ria s e t by the Controlled Access Protection Profile (CAPP), which is a part of the Common Crite ria ce rtification, the Audit dae mon mus t be configure d with the following s e ttings :

The dire ctory that holds the Audit log file s (us ually /var/log/audit/) s hould re s ide on a s e parate partition. This pre ve nts othe r proce s s e s from cons uming s pace in this dire ctory, and provide s accurate de te ction of the re maining s pace for the Audit dae mon.

The max_log_file parame te r, which s pe cifie s the maximum s ize of a s ingle Audit log file , mus t be s e t to make full us e of the available s pace on the partition that holds the Audit log file s .

The max_log_file_action parame te r, which de cide s what action is take n once the limit s e t in max_log_file is re ache d, s hould be s e t to keep_logs to pre ve nt Audit log file s from be ing ove rwritte n.

The space_left parame te r, which s pe cifie s the amount of fre e s pace le ft on the dis k for which an action that is s e t in the space_left_action parame te r is trigge re d, mus t be s e t to a numbe r that give s the adminis trator e nough time to re s pond and fre e up dis k s pace . The space_left value de pe nds on the rate at which the Audit log file s are ge ne rate d.

It is re comme nde d to s e t the space_left_action parame te r to email or exec with an appropriate notification me thod.

The admin_space_left parame te r, which s pe cifie s the abs olute minimum amount of fre e s pace for which an action that is s e t in the admin_space_left_action parame te r is trigge re d, mus t be s e t to a value that le ave s e nough s pace to log actions pe rforme d by the adminis trator.

The admin_space_left_action parame te r mus t be s e t to single to put the s ys te m into s ingle -us e r mode and allow the adminis trator to fre e up s ome dis k s pace .

The disk_full_action parame te r, which s pe cifie s an action that is trigge re d whe n no fre e s pace is available on the partition that holds the Audit log file s , mus t be s e t to halt or single. This e ns ure s that the s ys te m is e ithe r s hut down or ope rating in s ingle -us e r mode whe n Audit can no longe r log e ve nts .

The disk_error_action, which s pe cifie s an action that is trigge re d in cas e an e rror is de te cte d on the partition that holds the Audit log file s , mus t be s e t to syslog, single, or halt, de pe nding on your local s e curity policie s re garding the handling of hardware malfunctions .

The flush configuration parame te r mus t be s e t to sync or data. The s e parame te rs as s ure that all Audit e ve nt data is fully s ynchronize d with the log file s on the dis k.

The re maining configuration options s hould be s e t according to your local s e curity policy.

5.4. St art ing t he

Service

Once auditd is prope rly configure d, s tart the s e rvice to colle ct Audit information and s tore it in the log file s . Exe cute the following command as the root us e r to s tart auditd:

~]# service auditd start

Optionally, you can configure auditd to s tart at boot time us ing the following command as the root us e r:

~]# chkconfig auditd on

A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd action command, whe re action can be one of the following:

stop — s tops auditd.

restart — re s tarts auditd.

reload or force-reload — re loads the configuration of audit d from the /etc/audit/auditd.conf file .

rotate — rotate s the log file s in the /var/log/audit/ dire ctory.

resume — re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the Audit log file s .

condrestart or try-restart — re s tarts audit d only if it is alre ady running.

status — dis plays the running s tatus of audit d.

5.5. Defining Audit Rules

The Audit s ys te m ope rate s on a s e t of rule s that de fine what is to be capture d in the log file s . The re are thre e type s of Audit rule s that can be s pe cifie d:

Control rule s — allow the Audit s ys te m's be havior and s ome of its configuration to be modifie d.

File s ys te m rule s — als o known as file watche s , allow the auditing of acce s s to a particular file or a dire ctory.

Sys te m call rule s — allow logging of s ys te m calls that any s pe cifie d program make s . Audit rule s can be s pe cifie d on the command line with the audit ct l utility (note that the s e rule s are not pe rs is te nt acros s re boots ), or writte n in the /etc/audit/audit.rules file . The following two s e ctions s ummarize both approache s to de fining Audit rule s .

5.5.1. Defining Audit Rules wit h t he audit ct l Ut ilit y

Note

All commands which inte ract with the Audit s e rvice and the Audit log file s re quire root privile ge s . Ens ure you e xe cute the s e commands as the root us e r.

The auditctl command allows you to control the bas ic functionality of the Audit s ys te m and to de fine rule s that de cide which Audit e ve nts are logge d.