RHEL AUDITD

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 4
    • 5
    • 6
    • 7

Issue

  • How to monitor the permission change and ownership change of a particular directory or file?
  • How to configure auditd to find how a file was modified in Red Hat Enterprise Linux?
  • What tool can audit files at a directory level?
  • How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
  • How do I monitor a file or directory to see which user or program has accessed or modified data ?

Resolution

  • The Linux Audit system (audit package) can be used to accomplish this task.
  • Ensure the auditd service is running, and set to start on boot with chkconfig auditd on
  • Set a watch on the required file to be monitored by using the auditctl command:
# auditctl -w /etc/hosts -p war -k monitor-hosts
  • where:
    • auditctl is the command used to add entries to the audit database.
    • -w inserts a watch for the file system object at path, i.e. /etc/shadow.
    • -p sets permissions filter for a file system watch.
    • The permission are any one of the following:
      r – read of the file
      w – write to the file
      x – execute the file
      a – change in the file’s attribute
    • -k sets a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule.

Note: In order for these rules to persist after a reboot, the below must be added to the relevant rule files,

-w /etc/hosts -p a -k monitor-hosts

which are:

RHEL 4: /etc/audit.rules
RHEL 5: /etc/audit/audit.rules
RHEL 6: /etc/audit/audit.rules
RHEL 7: /etc/audit/rules.d/audit.rules
  • Please see the man pages for “auditctl” and “audit.rules” for further information on syntax and swtiches.
    • The auditd service must be restarted after any changes are made, also ensure that it is set to run on boot.
# service auditd restart
# chkconfig --list auditd
# chkconfig auditd on
  • In this example, a watch is placed on the /etc/hosts file for any syscalls which perform a write, read, or attribute change (-p war). This is logged with the key monitor-hosts. This key can be used to search through the audit logs to find these actions, using the ausearchcommand:
# ausearch -ts today -k monitor-hosts
----
time->Sat Feb  3 07:32:20 2007
type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1170451940.872:34): cwd="/root"
type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"
  • From this trace, it can be seen that the file /etc/hosts was edited using the /usr/bin/vim command. The user that ran the command was running with the root:system_r:unconfined_t:s0-s0:c0.c1023 SELinux context. Also, the timestamp can be converted into readable form.
# date -d @1170451940
Sat Feb  3 05:32:20 CST 2007
  • Specifying a -i to ausearch also interprets numeric entities into text, making the logs more readable.
  • You can search for an event based on the given key string:
# ausearch -k monitor-hosts
  • You can also generate a report about the audit rule keys by running:
# aureport -k

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Get Free Shipping on Everything All Season Long
Best Buy Co, Inc.
Best Buy Co, Inc.