Wat ching f ile access
Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d,
e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample , to de te ct acce s s to important file s and have an Audit trail available in cas e one of the s e file s is corrupte d.
Mo nit o ring syst em calls
Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time by monitoring the settimeofday, clock_adjtime, and othe r time -re late d s ys te m calls .
Reco rding co mmands run by a user
Be caus e Audit can track whe the r a file has be e n e xe cute d, a numbe r of rule s can be de fine d to re cord e ve ry e xe cution of a particular command. For e xample , a rule can be de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log e ntrie s can the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d commands pe r us e r.
Reco rding securit y event s
The pam_faillock authe ntication module is capable of re cording faile d login atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s additional information about the us e r who atte mpte d to log in.
Searching f o r event s
Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s and provide a comple te audit trail bas e d on a numbe r of conditions .
Running summary repo rt s
The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports of re corde d e ve nts . A s ys te m adminis trator can the n analyze the s e re ports and inve s tigate s us picious activity furthe rmore .
Mo nit o ring net wo rk access
The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts , allowing s ys te m adminis trators to monitor ne twork acce s s .
Note
Sys te m pe rformance may be affe cte d de pe nding on the amount of information that is colle cte d by Audit.
5.1. Audit Syst em Archit ect ure
The Audit s ys te m cons is ts of two main parts : the us e r-s pace applications and utilitie s , and the ke rne l-s ide s ys te m call proce s s ing. The ke rne l compone nt re ce ive s s ys te m calls from us e r-s pace applications and filte rs the m through one of the thre e filte rs : user, task, or exit.
Once a s ys te m call pas s e s through one of the s e filte rs , it is s e nt through the exclude filte r, which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for furthe r proce s s ing. Figure 5.1, “Audit s ys te m archite cture ” illus trate s this proce s s .
Figure 5.1. Audit syst em archit ect ure
The us e r-s pace Audit dae mon colle cts the information from the ke rne l and cre ate s log file e ntrie s in a log file . Othe r Audit us e r-s pace utilitie s inte ract with the Audit dae mon, the ke rne l Audit compone nt, or the Audit log file s :
audisp — the Audit dis patche r dae mon inte racts with the Audit dae mon and s e nds e ve nts to othe r applications for furthe r proce s s ing. The purpos e of this dae mon is to provide a plug-in me chanis m s o that re al-time analytical programs can inte ract with Audit e ve nts .
audit ct l — the Audit control utility inte racts with the ke rne l Audit compone nt to control a numbe r of s e ttings and parame te rs of the e ve nt ge ne ration proce s s .
The re maining Audit utilitie s take the conte nts of the Audit log file s as input and ge ne rate output bas e d on us e r's re quire me nts . For e xample , the aurepo rt utility ge ne rate s a re port of all re corde d e ve nts .
5.2. Inst alling t he audit Packages
In orde r to us e the Audit s ys te m, you mus t have the audit package s ins talle d on your s ys te m. The audit package s (audit and audit-libs) are ins talle d by de fault on Re d Hat Ente rpris e Linux 6. If you do not have the s e package s ins talle d, e xe cute the following command as the root us e r to ins tall the m:
~]# yum install audit
5.3. Configuring t he
auditService
The Audit dae mon can be configure d in the /etc/audit/auditd.conf configuration file . This file cons is ts of configuration parame te rs that modify the be havior of the Audit dae mon. Any e mpty line s or any te xt following a has h s ign (#) is ignore d. A comple te lis ting of all configuration parame te rs and the ir e xplanation can be found in the
audit.conf(5) man page .
5.3.1. Configuring
auditdfor a CAPP Environment
The de fault auditd configuration s hould be s uitable for mos t e nvironme nts . Howe ve r, if your e nvironme nt has to me e t the crite ria s e t by the Controlled Access Protection Profile (CAPP), which is a part of the Common Crite ria ce rtification, the Audit dae mon mus t be configure d with the following s e ttings :
The dire ctory that holds the Audit log file s (us ually /var/log/audit/) s hould re s ide on a s e parate partition. This pre ve nts othe r proce s s e s from cons uming s pace in this dire ctory, and provide s accurate de te ction of the re maining s pace for the Audit dae mon.
The max_log_file parame te r, which s pe cifie s the maximum s ize of a s ingle Audit log file , mus t be s e t to make full us e of the available s pace on the partition that holds the Audit log file s .
The max_log_file_action parame te r, which de cide s what action is take n once the limit s e t in max_log_file is re ache d, s hould be s e t to keep_logs to pre ve nt Audit log file s from be ing ove rwritte n.
The space_left parame te r, which s pe cifie s the amount of fre e s pace le ft on the dis k for which an action that is s e t in the space_left_action parame te r is trigge re d, mus t be s e t to a numbe r that give s the adminis trator e nough time to re s pond and fre e up dis k s pace . The space_left value de pe nds on the rate at which the Audit log file s are ge ne rate d.
It is re comme nde d to s e t the space_left_action parame te r to email or exec with an appropriate notification me thod.
The admin_space_left parame te r, which s pe cifie s the abs olute minimum amount of fre e s pace for which an action that is s e t in the admin_space_left_action parame te r is trigge re d, mus t be s e t to a value that le ave s e nough s pace to log actions pe rforme d by the adminis trator.
The admin_space_left_action parame te r mus t be s e t to single to put the s ys te m into s ingle -us e r mode and allow the adminis trator to fre e up s ome dis k s pace .
The disk_full_action parame te r, which s pe cifie s an action that is trigge re d whe n no fre e s pace is available on the partition that holds the Audit log file s , mus t be s e t to halt or single. This e ns ure s that the s ys te m is e ithe r s hut down or ope rating in s ingle -us e r mode whe n Audit can no longe r log e ve nts .
The disk_error_action, which s pe cifie s an action that is trigge re d in cas e an e rror is de te cte d on the partition that holds the Audit log file s , mus t be s e t to syslog, single, or halt, de pe nding on your local s e curity policie s re garding the handling of hardware malfunctions .
The flush configuration parame te r mus t be s e t to sync or data. The s e parame te rs as s ure that all Audit e ve nt data is fully s ynchronize d with the log file s on the dis k.
The re maining configuration options s hould be s e t according to your local s e curity policy.
5.4. St art ing t he
auditService
Once auditd is prope rly configure d, s tart the s e rvice to colle ct Audit information and s tore it in the log file s . Exe cute the following command as the root us e r to s tart auditd:
~]# service auditd start
Optionally, you can configure auditd to s tart at boot time us ing the following command as the root us e r:
~]# chkconfig auditd on
A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd action command, whe re action can be one of the following:
stop — s tops auditd.
restart — re s tarts auditd.
reload or force-reload — re loads the configuration of audit d from the /etc/audit/auditd.conf file .
rotate — rotate s the log file s in the /var/log/audit/ dire ctory.
resume — re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the Audit log file s .
condrestart or try-restart — re s tarts audit d only if it is alre ady running.
status — dis plays the running s tatus of audit d.
5.5. Defining Audit Rules
The Audit s ys te m ope rate s on a s e t of rule s that de fine what is to be capture d in the log file s . The re are thre e type s of Audit rule s that can be s pe cifie d:
Control rule s — allow the Audit s ys te m's be havior and s ome of its configuration to be modifie d.
File s ys te m rule s — als o known as file watche s , allow the auditing of acce s s to a particular file or a dire ctory.
Sys te m call rule s — allow logging of s ys te m calls that any s pe cifie d program make s . Audit rule s can be s pe cifie d on the command line with the audit ct l utility (note that the s e rule s are not pe rs is te nt acros s re boots ), or writte n in the /etc/audit/audit.rules file . The following two s e ctions s ummarize both approache s to de fining Audit rule s .
5.5.1. Defining Audit Rules wit h t he audit ct l Ut ilit y
Note
All commands which inte ract with the Audit s e rvice and the Audit log file s re quire root privile ge s . Ens ure you e xe cute the s e commands as the root us e r.
The auditctl command allows you to control the bas ic functionality of the Audit s ys te m and to de fine rule s that de cide which Audit e ve nts are logge d.