Modern Linux kernel comes with auditd daemon. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
ausearch is a simple command line tool used to search the audit daemon log files based on events and different search criteria such as event identifier, key identifier, CPU architecture, command name, hostname, group name or group ID, syscall, messages and beyond. It also accepts raw data from stdin.
By default, ausearch queries the /var/log/audit/audit.log file, which you can view just like any other text file.
In order to use audit facility you need to use following utilities
auditctl – A command to assist controlling the kernels audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command
ausearch – A command that can query the audit daemon logs based for events based on different search criteria.
aureport – A tool that produces summary reports of the audit system logs.
Step1: Install audit package
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.
root@sage16:/home/jackson# sudo apt-get update root@sage16:/home/jackson# sudo apt-get install auditd Reading package lists... Done Building dependency tree Reading state information... Done
Now start service:
root@sage16:/home/jackson# /etc/init.d/auditd start [ ok ] Starting auditd (via systemctl): auditd.service.
How do I set a watch on a file for auditing?
Let us say you would like to audit a /etc/passwd file. You need to type command as follows:
# auditctl -w /etc/passwd -p war -k password-file
Where,
-w /etc/passwd – Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
-p war – Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
-k password-file – Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
For Example let us see how do we find out who changed or accessed a file /etc/passwd?
Use ausearch command as follows:
# ausearch -f /etc/passwd OR # ausearch -f /etc/passwd | less OR # ausearch -f /etc/passwd -i | less
For example I have created the file and set a watchlog as shown below
# sudo auditctl -w /home/jackson/audit_test -p war
Now I am using ausearch command find out who changed or accessed a file
ausearch -f /home/jackson/audit_test
Please see the output as follows.
time->Sat May 18 18:36:57 2019 type=PROCTITLE msg=audit(1558184817.050:210): proctitle="gedit" type=PATH msg=audit(1558184817.050:210): item=0 name="/home/jackson/audit_test" inode=13336667 dev=00:35 mode=0100664 ouid=10231 ogid=10231 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1558184817.050:210): cwd="/home/jackson" type=SYSCALL msg=audit(1558184817.050:210): arch=c000003e syscall=2 success=yes exit=20 a0=1b57bc0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=1 ppid=1568 pid=4084 auid=4294967295 uid=10231 gid=10231 euid=10231 suid=10231 fsuid=10231 egid=10231 sgid=10231 fsgid=10231 tty=(none) ses=4294967295 comm="pool" exe="/usr/bin/gedit" key=(null)
Find User Activity in Auditd Log File, Please note that the -ua is used to pass a username.
# ausearch -ua jackson OR # ausearch -ua ruben -i
Please see the output added below. From the results, we can check which file has been edited by ‘jackson’
---- time->Sat May 18 18:59:45 2019 type=USER_END msg=audit(1558186185.996:50): pid=10976 uid=10221 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/25 res=success' ---- time->Sat May 18 18:59:45 2019 type=CRED_DISP msg=audit(1558186185.996:51): pid=10976 uid=10221 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/25 res=success'
Conclusion
So in this blog we discussed about the auditctl command that assist controlling the kernels audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command. Also, using ausearch command we can query the audit daemon logs based for events based on different search criteria.
