CentOS 6
Sponsored Link

Auditd : Add Audit Rules
2016/07/26
 
It's possible to add your own Audit rules like follows.
[1] For example, Configure Audit rule which records writing and attributes change for /etc/hosts.
# display current rules (no rules by default like follows)

[root@dlp ~]#
auditctl -l

No rules
# -p [r|w|x|a] : specify target action for Audit

#     r=read, w=write, x=execute, a=attributes

# -k [words] : set keys for searching logs

[root@dlp ~]#
auditctl -w /etc/hosts -p wa -k hosts_change

[root@dlp ~]#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
[2] When some actions are done and it is detected by new Audit rules, Audit logs are recorded like follows.
[root@dlp ~]#
ausearch -k hosts_change | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/09/2016 19:48:32 /etc/hosts open yes /usr/bin/bash root 46
2. 03/10/2016 20:37:52 /etc/hosts open yes /usr/bin/vi root 49
3. 03/10/2016 20:37:52 /etc/hosts chmod yes /usr/bin/vi root 50
4. 03/10/2016 20:38:35 /etc/hosts~ rename yes /usr/bin/vi cent 71
5. 03/10/2016 20:38:35 /etc/hosts ? yes ? cent 72
6. 03/10/2016 20:38:35 /etc/hosts ? yes ? cent 70
7. 03/10/2016 20:38:35 /etc/hosts open yes /usr/bin/vi cent 73
8. 03/10/2016 20:38:35 /etc/hosts chmod yes /usr/bin/vi cent 74
9. 03/10/2016 20:38:35 /etc/hosts setxattr yes /usr/bin/vi cent 75
[3] Rules added by auditctl command are not kept after restarting System, so it needs to add them in a file under /etc/audit/rules.d if you'd like to keep persistently. It's OK to add rules to any file you like under /etc/audit/rules.d, but extension should be ".rules".
# output current rules to "additional.rules"

[root@dlp ~]#
auditctl -l >> /etc/audit/rules.d/additional.rules

[4] If you set a directory for Audit Target, all files are targeted recursively under the directory.
# set Audit rule (reading) to /home/testdir/

[root@dlp ~]#
auditctl -w /home/testdir/ -p r -k testdir_audit

[root@dlp ~]#
auditctl -l

-w /home/testdir/ -p r -k testdir_audit
# log are recorded like follows

[root@dlp ~]#
ausearch -k testdir_audit | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2016 19:50:28 /home/testdir getxattr no /usr/bin/ls cent 77
2. 03/10/2016 19:50:28 /home/testdir lgetxattr no /usr/bin/ls cent 76
3. 03/10/2016 19:50:28 /home/testdir getxattr no /usr/bin/ls cent 78
4. 03/10/2016 19:50:32 /home/testdir getxattr no /usr/bin/ls cent 81
5. 03/10/2016 19:50:32 /home/testdir openat yes /usr/bin/ls cent 82
6. 03/10/2016 19:50:32 /home/testdir lgetxattr no /usr/bin/ls cent 79
7. 03/10/2016 19:50:32 /home/testdir getxattr no /usr/bin/ls cent 80
8. 03/10/2016 19:50:32 /home/testdir/test.txt lgetxattr no /usr/bin/ls cent 83
9. 03/10/2016 19:50:32 /home/testdir/test.txt getxattr no /usr/bin/ls cent 84
10. 03/10/2016 19:50:32 /home/testdir/test.txt getxattr no /usr/bin/ls cent 85
11. 03/10/2016 19:50:32 /home/testdir/testdir02 lgetxattr no /usr/bin/ls cent 86
12. 03/10/2016 19:50:32 /home/testdir/testdir02 getxattr no /usr/bin/ls cent 87
13. 03/10/2016 19:50:53 /home/testdir/testdir02/test2.txt open yes /usr/bin/cat cent 89
[5] For exmaple, Configure Audit rule which monitors files removed by users who has over UID 1000.
By the way, for the option by "S" below, you can make sure all System Calls with "man syscalls", maybe after installing "yum install man-pages".
[root@dlp ~]#
auditctl -a always,exit -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit

[root@dlp ~]#
auditctl -l

-a always,exit -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit
# logs are recorded like follows

[root@dlp ~]#
ausearch -k delete_audit | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2016 19:11:05 test.txt unlinkat yes /usr/bin/rm redhat 112
2. 03/10/2016 19:13:06 test3.txt unlinkat yes /usr/bin/rm cent 139
3. 03/10/2016 19:41:00 test2.txt unlinkat yes /usr/bin/rm redhat 194
 
Tweet