-
-
Notifications
You must be signed in to change notification settings - Fork 624
Auditd
You can file an issue about it and ask that it be added.
-
Auditd
- Enable auditing for processes which start prior to the audit daemon
- Enable auditd service
- Max log file size
- Notification on low disk space
- Action on low disk space
- Action upon reaching maximum log size
- Record information on kernel module loading and unloading
- Record attempts to alter logon and logout events
- Record attempts to alter time through stime
- Record attempts to alter time through settimeofday
- Record attempts to alter the localtime file
- Record attempts to alter time through clock_settime
- Record attempts to alter time through adjtimex
- Record events that modify the system's discretionary access controls
- Ensure auditd collects file deletion events by user
- Record information on the use of privileged commands
- Record unauthorized access attempts to files
- Ensure auditd collects system administrator actions
- Record events that modify the system's network environment
- Make the auditd configuration immutable
- Record attempts to alter process and session initiation information
- Record events that modify user/group information
- Ensure auditd collects information on exporting to media
- Record events that modify the system's mandatory access controls
The audit service provides substantial capabilities for recording system activities.
By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
# Add to /etc/default/grub:
GRUB_CMDLINE_LINUX="... audit=1"
# Updated grub configuration:
grub2-mkconfig -oWithout establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.
systemctl enable auditd.serviceThe total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
# Edit /etc/audit/auditd.conf:
max_log_file = STOREMBEmail sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
# Edit /etc/audit/auditd.conf:
action_mail_acct = rootAdministrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
# Edit /etc/audit/auditd.conf:
admin_space_left_action = ACTIONAutomatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data.
However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
# Edit /etc/audit/auditd.conf:
max_log_file_action = ACTIONThe addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
# Add to /etc/audit/rules.d/extended.rules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module,finit_module,create_module,delete_module -F key=modulesManual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
# Add to /etc/audit/rules.d/extended.rules
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k loginsArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
# Add to /etc/audit/rules.d/extended.rules
-w /etc/localtime -p wa -k audit_time_rulesArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modAuditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deletePrivileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedTo find the relevant setuid and setgid programs:
find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullUnsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessThe actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
# Add to /etc/audit/rules.d/extended.rules
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actionsThe network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationManual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
# Add to /etc/audit/rules.d/extended.rules
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k sessionMaking the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
# Add to /etc/audit/rules.d/extended.rules
-e 2In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
# Add to /etc/audit/rules.d/extended.rules
-w /etc/shadow -p wa -k audit_rules_usergroup_modification# Add to /etc/audit/rules.d/extended.rules
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification# Add to /etc/audit/rules.d/extended.rules
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification# Add to /etc/audit/rules.d/extended.rules
-w /etc/passwd -p wa -k audit_rules_usergroup_modification# Add to /etc/audit/rules.d/extended.rules
-w /etc/group -p wa -k audit_rules_usergroup_modificationThe unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportThe system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
# Add to /etc/audit/rules.d/extended.rules
-w /etc/selinux/ -p wa -k MAC-policyThe Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.