Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux audit framework

124 views

Published on

kort auditd intro

Published in: Software
  • Be the first to comment

  • Be the first to like this

Linux audit framework

  1. 1. Linux Auditing Framework In 5 minutes
  2. 2. About ● Included in RHEL4+ and all other linux distros (SuSE used their own product for SLES 9 but switched in SLES 10) ● Supports CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, STIG, EAL4+ ● Minimal overhead, integrated with the linux kernel ● Support sudo/su etc and not not “possible” to bypass ● Can audit more or less everything ● Hard to read audit logs
  3. 3. Rules Examples rules: /usr/share/doc/audit-2.2/capp.rules /usr/share/doc/audit-2.2/lspp.rules /usr/share/doc/audit-2.2/nispom.rules /usr/share/doc/audit-2.2/stig.rules
  4. 4. Commands auditctl - Control script. Status, add/remove rules etc ausearch - search in logs aureport - give an report
  5. 5. Easy example auditctl -w /etc/passwd -p rwa -k "reading password file" -w = File monitored -p = Permissions to monitor. Can be Read, Write, Execute or Append -k = Message in the logs
  6. 6. Easy example II auditctl -w /tmp -p e -k "Someone is using /tmp" Checks if someone is using /tmp auditctl -a entry,always -S all -F pid=1005 Monitor everything a PID does... auditctl -l shows current rules
  7. 7. Searching logs ausearch -i -f /etc/passwd could give: type=PATH msg=audit(07/15/2013 15:03:43.153:9090) : item=0 name=/etc/passwd inode=656631 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(07/15/2013 15:03:43.153:9090) : cwd=/root type=SYSCALL msg=audit(07/15/2013 15:03:43.153:9090) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffd13addf0 a1=0 a2=619908 a3=7fffd13ad560 items=1 ppid=1255 pid=1801 auid=torstein uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=grep exe=/bin/grep key=reading password file An user (torstein) have used /bin/grep form the directory /root as the user root to view the file
  8. 8. Other searches ausearch -ts 01/01/13 -k password-file ausearch -ts today -k password-file -x rm (show's who deleted the password file today) ausearch -ts today -k "reading password file" -ui 0 (check's who's been using root to check the password file)
  9. 9. More advanced ● Logs to /var/log/audit/ ● /etc/audit/auditd.conf is the config for the daemon. Can be configured to halt on full disk or require reboot to change rules ● /etc/audit/audit.rules is the rules it will load on startup. See example files it ships.. But it could look like this: -w /etc/passwd -p wa -k identity

×