SlideShare a Scribd company logo

The Linux Audit Framework

Gary Smith
Gary Smith

The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.

Internet
1 of 42
Download to read offline
The Linux Audit Framework Gary Smith, EMSL, Pacific Northwest National Laboratory
Agenda ! Who Am I? ! Capabilities of the Linux Audit Framework ! auditd.conf and audit.rules ! Types of Rules ! Examples of rules ! Creating Reports ! Advanced Rule Writing ! Visualizing Audit Data 2
A Little Context ! How do you think about Cyber Security? ! The Five Golden Principles of Security ! Know your system ! Principle of Least Privilege ! Defense in Depth ! Protection is key but detection is a must. ! Know your enemy. 3
Introduction ! Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. ! It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. ! Instead, Audit is useful for tracking these issues and helps you take additional security measures, like SELinux, to prevent them. ! Audit consists of several components, each contributing crucial functionality to the overall framework. ! The audit kernel module intercepts the system calls and records the relevant events. 4
Introduction (cont.) ! The auditd daemon writes the audit reports to disk. ! Various command line utilities take care of displaying, querying, and archiving the audit trail. 5
Linux Audit Framework Capabilities ! Audit enables you to do the following: ! Associate Users with Processes ! Audit maps processes to the user ID that started them. ! This makes it possible for the administrator or security officer to exactly trace which user owns which process and is potentially doing malicious operations on the system. ! Review the Audit Trail ! Linux audit provides tools that write the audit reports to disk and translate them into human readable format. ! Review Particular Audit Events ! Audit provides a utility that allows you to filter the audit reports for certain events of interest. 6
Linux Audit Framework Capabilities (1) ! You can filter for: ! User ! Group ! Audit ID ! Remote Hostname ! Remote Host Address ! System Call ! System Call Arguments ! File ! File Operations ! Session ! Success or Failure 7
Linux Audit Framework Capabilities (2) ! Apply a Selective Audit ! Audit provides the means to filter the audit reports for events of interest and also to tune audit to record only selected events. ! You can create your own set of rules and have the audit daemon record only those of interest to you. ! Prevent Audit Data Loss ! Audit provides several mechanisms to prevent the loss of audit data in the event of a loss of system resources. 8
The Components of Linux Audit 9
Configuring The Linux Audit Framework ! Before you can actually start generating audit logs and processing them, you must configure the audit framework. ! Julius Caesar said, “Gallia est omnis divisa in tres partes”, and just like Gaul, the configuring the audit framework is divided into three parts: ! The Audit Daemon Configuration ! The Audit Rules ! The Audispd Daemon Configuration 10
/etc/audit/auditd.conf ! The /etc/audit/auditd.conf configuration file determines how the audit system functions once the daemon has been started. ! The directives tell auditd where to put the audit log files, flushing the audit records, managing the audit log files, and error handling. ! For most use cases, the default settings shipped with the package should suffice. 11
A Sample auditd.conf log_file = /var/log/audit/audit.log! log_format = RAW! log_group = root! priority_boost = 4! flush = INCREMENTAL! freq = 20! num_logs = 5! dispatcher = /sbin/audispd! disp_qos = lossy! name_format = hostname! ##name = mydomain! max_log_file = 6! max_log_file_action = ROTATE! space_left = 75! space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND 12
/etc/audit/audit.rules ! audit.rules is a file containing audit rules that will be loaded by the audit daemon’s startup script whenever the daemon is started. ! The auditctl program is used by the startup script to perform this operation. ! The audit rules come in 3 varieties: control, file, and syscall. 13
Control ! Control commands generally involve configuring the audit system rather than telling it what to watch. ! These commands, found at the top of the rules file, typically include ! Deleting all rules (-D) ! Setting the size of the kernel's backlog queue (-b) ! Setting the failure mode (-f) ! Setting the event rate limit (-r) ! Tell auditctl to ignore syntax errors in the rules and continue loading. (-i) and (-c) ! Enable/disable auditing (-e) 14
File System ! File System rules are sometimes called watches. ! These rules are used to audit access to particular files or directories that you may be interested in. ! If the path given in the rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. ! The syntax of these rules generally follow this format: ! -w path-to-file -p permissions -k keyname ! where the permission are any one of the following: ! r - read of the file ! w - write to the file ! x - execute the file ! a - change in the file's attribute ! keyname is an arbitrary string of text used to uniquely identify the audit records produced by a rule 15
Integrity Checking ! Using file watches, write a list of rules to detect changes to the audit rules files and the instantiated audit rules in the kernel. -w /etc/audit/auditd.conf –p wa -k audit-config! -w /etc/audit/auditd.rules –p wa -k audit-config! -w /sbin/auditctl –p x -k audit-config! 16
File Watches Gotchas ! When in need of detailed file-related records, enable separate file watches for all files of interest. ! Directory watches produce less verbose logs than exact file watches. ! Pathname globbing of any kind is not supported by audit. Always use the exact pathnames. ! Auditing can only be performed on existing files. ! Any files added while the audit daemon is already running are ignored until the audit rule set is updated to watch the new files. ! Remember: First match wins! 17
Auditing the Execution of Setuid/Setgid Binaries ! Let’s say that as a matter of compliance, you have to audit the execution of setuid/setgid binaries on your system. ! How do you do set that up? ! First, run a script like this at boot time from /etc/rc.local sending the output to a temp file, /tmp/snorf, for example.! 18
Auditing the Execution of Setuid/Setgid Binaries (1) ! ! ! #!/bin/bash! # Find all the file systems that are locally mounted! for i in `/bin/egrep '(ext4|ext3|ext2)' /etc/fstab | /bin/awk '{print $2}'`! do! # Find all the files on the file system found above and print out! # and audit rule for it! /usr/bin/find $i -xdev -type f ( -perm -4000 -o -perm -2000 ) -print | ! /bin/sort | /bin/awk '{ print ”-w " $1 " -p x -k privileged -k ids-exec-high" }'! done! 19
Auditing the Execution of Setuid/Setgid Binaries (2) ! And you get something like this (YMMV depending on what’s installed). -a -w /bin/cgclassify -p x -k privileged -k ids-exec-high! -a -w /bin/cgexec -p x -k privileged -k ids-exec-high! -a -w /bin/ping -p x -k privileged -k ids-exec-high! -a -w /bin/ping6 -p x -k privileged -k ids-exec-high! -a -w /bin/su -p x -k privileged -k ids-exec-high! -a -w /sbin/mount.nfs -p x -k privileged -k ids-exec-high! -a -w /sbin/netreport -p x -k privileged -k ids-exec-high! -a -w /sbin/pam_timestamp_check -p x -k privileged -k ids-exec-high! -a -w /sbin/unix_chkpwd -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chage -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chfn -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chsh -p x -k privileged -k ids-exec-high! -a -w /usr/bin/crontab -p x -k privileged -k ids-exec-high! -a -w /usr/bin/gpasswd -p x -k privileged -k ids-exec-high! -a -w /usr/bin/ksu -p x -k privileged -k ids-exec-high! 20
Auditing the Execution of Setuid/Setgid Binaries (3) ! Then, point auditctl at the temp file to add the newly created audit rules. ! The auditctl program is used to control the behavior, get status, and add or delete rules into the kernel’s audit system. /sbin/auditctl –R /tmp/snorf ! A couple of things about auditctl: ! auditctl is not a filter, so output cannot be piped into it. ! Rules files for auditctl must be owned by root. 21
System Call ! The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. ! Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. ! You can help the performance, though, by combining syscalls into one rule whenever possible. ! Remember: First match wins! ! Syscall rules take the general form of: ! -a action,list -S syscall -F field=value -k keyname 22
System Call (1) ! The -a option tells the kernel's rule matching engine that we want to append a rule and the end of the rule list. ! But we need to specify which rule list it goes on and what action to take when it triggers. ! The action and list are separated by a comma but no space in between. Valid lists are: task, entry, exit, user, and exclude. ! Valid actions are: ! always - always create an event ! never - never create an event 23
System Call (2) ! Next in the rule is the -S option specifying either a syscall name or number. Usually, the name is almost always used. You may give more than one syscall in a rule by specifying another -S option. ! After the syscall is specified, you would normally have one or more -F options that fine tune what to match against. ! The audit system considers uids to be unsigned numbers. The audit system uses the number -1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. ! The last thing about syscall rules is that you can add a keyname which is a free form text string that you want inserted into the event to help identify its meaning. 24
Syscall Audit Rules Examples ! To see files opened by a specific user: -a exit,always -S open -F auid=l337! ! To see unsuccessful open calls: -a exit,always -S open -F success=0! 25
Record Attempts to Alter System Time ! Hackers frequently tinker with the system time to hid their actions. Use system call auditing to create audit rules to record changes to the system time. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules! -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k -audit_time_rules! -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules! -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules! 26
Creating Audit Reports ! The audit records are stored in /var/log/audit/audit.log. ! grep is your friend and you can pull stuff out of the audit log and get stuff like this: ! type=SYSCALL msg=audit(1365719016.212:333043): arch=c000003e syscall=171 success=yes exit=0 a0=7fff86310c37 a1=6 a2=d a3=7fff8630f3b0 items=0 ppid=22300 pid=22311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37491 comm="domainname" exe="/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=73797374656D2D6C6F63616C65016964732D7379732D6C6F77! ! Maybe grep isn’t your friend, after all. ! The raw audit data auditd stores in the /var/log/audit directory is quite complex. ! To find what you want, you might have to sift through bazillions of other events before you locate the one that you want. 27
Creating Audit Reports (1) ! Use aureport to create concise, human-readable reports. ! Some of the useful options are: ! --summary ! --failed ! --start and --end (aureport understands today, yesterday, now, recent, this-week, this-month, and this-year) ! --auth, --avc, --login, --user, --executable, --syscall ! To get started, do aureport –summary and you get something like this: 28
Creating Audit Reports (2) Summary Report! ======================! Range of time in logs: 08/09/2015 02:28:36.498 - 10/02/2015 18:07:38.737! Selected time for report: 08/09/2015 02:28:36 - 10/02/2015 18:07:38.737! Number of changes in configuration: 0! Number of changes to accounts, groups, or roles: 4! Number of logins: 16! Number of failed logins: 13134! Number of authentications: 59! Number of failed authentications: 46567! Number of users: 9! Number of terminals: 18! Number of host names: 1139! Number of executables: 14! Number of files: 0! Number of AVC's: 0! Number of MAC events: 0! Number of failed syscalls: 0! Number of anomaly events: 0! Number of responses to anomaly events: 0! Number of crypto events: 50419! Number of keys: 0! Number of process IDs: 25791! Number of events: 129193! 29
Creating Audit Reports (3) ! Lets look at some of the failed logins with aureport –auth –failed: Login Report! ============================================! # date time auid host term exe success event! ============================================! 1. 09/23/2015 19:53:04 send 195.4.234.9 sshd /usr/sbin/sshd no 2469819! 2. 09/23/2015 19:53:06 send 195.4.234.9 sshd /usr/sbin/sshd no 2469821! 3. 09/23/2015 19:53:10 root 195.4.234.9 sshd /usr/sbin/sshd no 2469825! 4. 09/23/2015 19:53:12 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469828! 5. 09/23/2015 19:53:14 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469830! 6. 09/23/2015 19:56:37 root 218.65.30.217 sshd /usr/sbin/sshd no 2469852! 7. 09/23/2015 19:56:40 root 218.65.30.217 sshd /usr/sbin/sshd no 2469854! 8. 09/23/2015 19:56:42 root 218.65.30.217 sshd /usr/sbin/sshd no 2469856! 9. 09/23/2015 21:34:52 ubnt 222.186.21.154 sshd /usr/sbin/sshd no 2470589! 10. 09/23/2015 21:34:54 ubnt 222.186.21.154 sshd /usr/sbin/sshd no 2470591! 11. 09/24/2015 00:25:15 root 218.4.117.26 sshd /usr/sbin/sshd no 2471855! 12. 09/24/2015 00:25:17 pi 218.4.117.26 sshd /usr/sbin/sshd no 2471858! 13. 09/24/2015 00:25:19 pi 218.4.117.26 sshd /usr/sbin/sshd no 2471860! 14. 09/24/2015 00:25:21 test 218.4.117.26 sshd /usr/sbin/sshd no 2471863! 15. 09/24/2015 00:25:23 test 218.4.117.26 sshd /usr/sbin/sshd no 2471865! 30
Drilling Deeper with ausearch ! aureport lets you to create overall summaries of what is happening on the system, but if you want to drill deeper into the details of a particular event, ausearch is the tool to use. ! ausearch allows you to search the audit logs using special keys and search phrases that relate to most of the flags that appear in event messages in /var/log/audit/ audit.log ! A methodology to use is find an event class of interest with aureport and then drill down into the nitty-gritty with ausearch. ! For instance, you use aureport –syscall –failed to see the failed system calls. Use ausearch and one of the event ids to get more information. 31
Drilling Deeper with ausearch (1) ! From aureport –syscall –fail we get: Syscall Report! =======================================! # date time syscall pid comm auid event! =======================================! 1. 10/02/2015 15:26:16 2 5630 cp 25016 306512! ! From ausearch –i –a 306512 we get: ----! type=PATH msg=audit(10/02/2015 15:26:16.299:306512) : item=0 name=/etc/shadow inode=394070 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL! type=CWD msg=audit(10/02/2015 15:26:16.299:306512) : cwd=/home/dr-horrible! type=SYSCALL msg=audit(10/02/2015 15:26:16.299:306512) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffde2dd8739 a1=O_WRONLY|O_TRUNC a2=0x0 a3=0x7ffde2dd6bd0 items=1 ppid=27491 pid=5630 auid=dr-horrible uid=dr-horrible gid=users euid=dr-horrible suid=dr-horrible fsuid=dr-horrible egid=users sgid=users fsgid=users tty=pts0 ses=16292 comm=cp exe=/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 key=identity! ! 32
Drilling Deeper with ausearch (2) ! A useful feature, if you tagged your audit rules with keys, is to search for events based on those keys. ! For instance, ausearch –ts today –i –k identity and we get: type=PATH msg=audit(10/02/2015 15:26:16.299:306512) : item=0 name=/etc/ shadow inode=394070 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL! type=CWD msg=audit(10/02/2015 15:26:16.299:306512) : cwd=/home/dr-horrible! type=SYSCALL msg=audit(10/02/2015 15:26:16.299:306512) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffde2dd8739 a1=O_WRONLY|O_TRUNC a2=0x0 a3=0x7ffde2dd6bd0 items=1 ppid=27491 pid=5630 auid=dr-horrible uid=dr-horrible gid=users euid=dr-horrible suid=dr-horrible fsuid=dr-horrible egid=users sgid=users fsgid=users tty=pts0 ses=16292 comm=cp exe=/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 key=identity! 33
Advanced Rule Writing: The Evil Sysadmin ! You suspect a sysadmin acting as “root” is trawling thru the /home file system looking for intellectual property to sell to competitors. Write an audit rule(s) that will record root trawling. ! The way to do this is use the –C option to build an inter- field comparison rule: ! -a exit,always -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin-access! ! ! 34
Advanced Rule Writing: The Evil Sysadmin (1) ! Since there was no explicit syscall referenced in the rule, all syscalls are tested against this rule. ! This might could be a significant performance hit. ! A better way of doing this would be: -a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F dir=/home/ -F uid=0 -C auid!=obj_uid -F auid>=500 -F auid!=4294967295 -k admin-access! -a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F dir=/home/ -F uid=0 -C auid!=obj_uid -F auid>=500 -F auid!=4294967295 -k admin-access! 35
Advanced Rule Writing: Setuid Programs ! Recall the script that writes audit rules to find setuid executables. How do you record the execution of a setuid program that is put someplace you don’t expect it? ! Write a audit rule(s) to catch the execution of a setuid program regardless of its location. -a always,exit -F arch=b64 -S execve -F euid=0 -C uid!=euid! 36
Visualizing Audit Data ! Recall the listing from aureport of the failed logins: Login Report! ============================================! # date time auid host term exe success event! ============================================! 1. 09/23/2015 19:53:04 send 195.4.234.9 sshd /usr/sbin/sshd no 2469819! 2. 09/23/2015 19:53:06 send 195.4.234.9 sshd /usr/sbin/sshd no 2469821! 3. 09/23/2015 19:53:10 root 195.4.234.9 sshd /usr/sbin/sshd no 2469825! 4. 09/23/2015 19:53:12 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469828! 5. 09/23/2015 19:53:14 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469830! 6. 09/23/2015 19:56:37 root 218.65.30.217 sshd /usr/sbin/sshd no 2469852! ! We can extract fields from the report with any of the text manipulation tools in Linux to produce a column of usernames, IP addresses, etc. that can be feed into a word cloud generator to create graphs of the data. 37
Visualizing Audit Data (1) 38
Visualizing Audit Data (2) 39
Resources ! The Audit Manual Pages ! There are several man pages installed along with the audit tools that provide valuable and very detailed information: ! auditd(8) The Linux Audit daemon ! auditd.conf(5) The Linux Audit daemon configuration file ! auditctl(8) A utility to assist controlling the kernel's audit system ! autrace(8) A program similar to strace ! ausearch(8) A tool to query audit daemon logs ! aureport(8) A tool that produces summary reports of audit daemon logs ! audispd.conf(5) The audit event dispatcher configuration file ! audispd(8) The audit event dispatcher daemon talking to plugin programs. ! augenrules(8) – A script that merges component audit rule files 40
Resources (1) ! http://people.redhat.com/sgrubb/audit/index.html The home page of the Linux audit project. This site contains several specifications relating to different aspects of Linux audit, as well as a short FAQ. ! /usr/share/doc/audit The audit package itself contains a README with basic design information and sample .rules files for different scenarios: ! capp.rules: Controlled Access Protection Profile (CAPP) ! lspp.rules: Labeled Security Protection Profile (LSPP) ! nispom.rules: National Industrial Security Program Operating Manual Chapter 8(NISPOM) ! stig.rules: Secure Technical Implementation Guide (STIG) ! Word Cloud Generator: http://www.wordclouds.com/ 41
T-t-t-t-that’s all, folks! 42 Gary Smith Information System Security Officer, Molecular Science Computing, EMSL, Pacific Northwest National Laboratory Richland, WA gary.smith@pnnl.gov

Recommended

Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Sécurite opérationnelle des Système d'Information Volet-3
Sécurite opérationnelle des Système d'Information Volet-3Sécurite opérationnelle des Système d'Information Volet-3
Sécurite opérationnelle des Système d'Information Volet-3PRONETIS
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Audit de sécurité informatique
Audit de sécurité informatiqueAudit de sécurité informatique
Audit de sécurité informatiqueMohamed Ali Hadhri
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Plan de secours inormatique
Plan de secours inormatiquePlan de secours inormatique
Plan de secours inormatiquemohamed hadrich
 

Recommended

Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Sécurite opérationnelle des Système d'Information Volet-3
Sécurite opérationnelle des Système d'Information Volet-3Sécurite opérationnelle des Système d'Information Volet-3
Sécurite opérationnelle des Système d'Information Volet-3PRONETIS
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Audit de sécurité informatique
Audit de sécurité informatiqueAudit de sécurité informatique
Audit de sécurité informatiqueMohamed Ali Hadhri
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Plan de secours inormatique
Plan de secours inormatiquePlan de secours inormatique
Plan de secours inormatiquemohamed hadrich
 
SMSI.pdf
SMSI.pdfSMSI.pdf
SMSI.pdfHajarSalimi
 
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Sébastien Rabaud
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Référentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SIRéférentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SIAlghajati
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systemsMarian Marinov
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsDavid Maillard
 
Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1PRONETIS
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm
 
Mission d'audit des Systéme d'information
Mission d'audit des Systéme d'informationMission d'audit des Systéme d'information
Mission d'audit des Systéme d'informationAymen Foudhaili
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux Harish R
 
Politique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliersPolitique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliersSara SI-MOUSSI
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Kali linux commands
Kali linux commandsKali linux commands
Kali linux commandsJubair Ahmed Junjun
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdfAbhishekChaudhary518667
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 

More Related Content

What's hot

Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Sébastien Rabaud
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Référentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SIRéférentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SIAlghajati
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsDavid Maillard
 
Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1PRONETIS
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm
 
Mission d'audit des Systéme d'information
Mission d'audit des Systéme d'informationMission d'audit des Systéme d'information
Mission d'audit des Systéme d'informationAymen Foudhaili
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux Harish R
 
Politique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliersPolitique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliersSara SI-MOUSSI
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 

What's hot (20)

SMSI.pdf
SMSI.pdfSMSI.pdf
SMSI.pdf
 
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Référentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SIRéférentiels et Normes pour l'Audit de la Sécurité des SI
Référentiels et Normes pour l'Audit de la Sécurité des SI
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systems
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #Succès
 
Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1Gouvernance de la sécurite des Systèmes d'Information Volet-1
Gouvernance de la sécurite des Systèmes d'Information Volet-1
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5Alphorm.com Formation Veeam Backup & Replication 9.5
Alphorm.com Formation Veeam Backup & Replication 9.5
 
Mission d'audit des Systéme d'information
Mission d'audit des Systéme d'informationMission d'audit des Systéme d'information
Mission d'audit des Systéme d'information
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux
 
Politique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliersPolitique de sécurité des systèmes d'information hospitaliers
Politique de sécurité des systèmes d'information hospitaliers
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Kali linux commands
Kali linux commandsKali linux commands
Kali linux commands
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdf
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 

Similar to The Linux Audit Framework

2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!Etsuji Nakai
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and UseCommon Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and UseDaniel O'Donnell
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xMandi Walls
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020Mandi Walls
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)Gerard Braad
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpecAll Things Open
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 

Similar to The Linux Audit Framework (20)

2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
The Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 PrimerThe Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 Primer
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and UseCommon Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17x
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpec
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Unix commands
Unix commandsUnix commands
Unix commands
 

Recently uploaded

Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 

Recently uploaded (20)

Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 

The Linux Audit Framework

  • 1. The Linux Audit Framework Gary Smith, EMSL, Pacific Northwest National Laboratory
  • 2. Agenda ! Who Am I? ! Capabilities of the Linux Audit Framework ! auditd.conf and audit.rules ! Types of Rules ! Examples of rules ! Creating Reports ! Advanced Rule Writing ! Visualizing Audit Data 2
  • 3. A Little Context ! How do you think about Cyber Security? ! The Five Golden Principles of Security ! Know your system ! Principle of Least Privilege ! Defense in Depth ! Protection is key but detection is a must. ! Know your enemy. 3
  • 4. Introduction ! Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. ! It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. ! Instead, Audit is useful for tracking these issues and helps you take additional security measures, like SELinux, to prevent them. ! Audit consists of several components, each contributing crucial functionality to the overall framework. ! The audit kernel module intercepts the system calls and records the relevant events. 4
  • 5. Introduction (cont.) ! The auditd daemon writes the audit reports to disk. ! Various command line utilities take care of displaying, querying, and archiving the audit trail. 5
  • 6. Linux Audit Framework Capabilities ! Audit enables you to do the following: ! Associate Users with Processes ! Audit maps processes to the user ID that started them. ! This makes it possible for the administrator or security officer to exactly trace which user owns which process and is potentially doing malicious operations on the system. ! Review the Audit Trail ! Linux audit provides tools that write the audit reports to disk and translate them into human readable format. ! Review Particular Audit Events ! Audit provides a utility that allows you to filter the audit reports for certain events of interest. 6
  • 7. Linux Audit Framework Capabilities (1) ! You can filter for: ! User ! Group ! Audit ID ! Remote Hostname ! Remote Host Address ! System Call ! System Call Arguments ! File ! File Operations ! Session ! Success or Failure 7
  • 8. Linux Audit Framework Capabilities (2) ! Apply a Selective Audit ! Audit provides the means to filter the audit reports for events of interest and also to tune audit to record only selected events. ! You can create your own set of rules and have the audit daemon record only those of interest to you. ! Prevent Audit Data Loss ! Audit provides several mechanisms to prevent the loss of audit data in the event of a loss of system resources. 8
  • 9. The Components of Linux Audit 9
  • 10. Configuring The Linux Audit Framework ! Before you can actually start generating audit logs and processing them, you must configure the audit framework. ! Julius Caesar said, “Gallia est omnis divisa in tres partes”, and just like Gaul, the configuring the audit framework is divided into three parts: ! The Audit Daemon Configuration ! The Audit Rules ! The Audispd Daemon Configuration 10
  • 11. /etc/audit/auditd.conf ! The /etc/audit/auditd.conf configuration file determines how the audit system functions once the daemon has been started. ! The directives tell auditd where to put the audit log files, flushing the audit records, managing the audit log files, and error handling. ! For most use cases, the default settings shipped with the package should suffice. 11
  • 12. A Sample auditd.conf log_file = /var/log/audit/audit.log! log_format = RAW! log_group = root! priority_boost = 4! flush = INCREMENTAL! freq = 20! num_logs = 5! dispatcher = /sbin/audispd! disp_qos = lossy! name_format = hostname! ##name = mydomain! max_log_file = 6! max_log_file_action = ROTATE! space_left = 75! space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND 12
  • 13. /etc/audit/audit.rules ! audit.rules is a file containing audit rules that will be loaded by the audit daemon’s startup script whenever the daemon is started. ! The auditctl program is used by the startup script to perform this operation. ! The audit rules come in 3 varieties: control, file, and syscall. 13
  • 14. Control ! Control commands generally involve configuring the audit system rather than telling it what to watch. ! These commands, found at the top of the rules file, typically include ! Deleting all rules (-D) ! Setting the size of the kernel's backlog queue (-b) ! Setting the failure mode (-f) ! Setting the event rate limit (-r) ! Tell auditctl to ignore syntax errors in the rules and continue loading. (-i) and (-c) ! Enable/disable auditing (-e) 14
  • 15. File System ! File System rules are sometimes called watches. ! These rules are used to audit access to particular files or directories that you may be interested in. ! If the path given in the rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. ! The syntax of these rules generally follow this format: ! -w path-to-file -p permissions -k keyname ! where the permission are any one of the following: ! r - read of the file ! w - write to the file ! x - execute the file ! a - change in the file's attribute ! keyname is an arbitrary string of text used to uniquely identify the audit records produced by a rule 15
  • 16. Integrity Checking ! Using file watches, write a list of rules to detect changes to the audit rules files and the instantiated audit rules in the kernel. -w /etc/audit/auditd.conf –p wa -k audit-config! -w /etc/audit/auditd.rules –p wa -k audit-config! -w /sbin/auditctl –p x -k audit-config! 16
  • 17. File Watches Gotchas ! When in need of detailed file-related records, enable separate file watches for all files of interest. ! Directory watches produce less verbose logs than exact file watches. ! Pathname globbing of any kind is not supported by audit. Always use the exact pathnames. ! Auditing can only be performed on existing files. ! Any files added while the audit daemon is already running are ignored until the audit rule set is updated to watch the new files. ! Remember: First match wins! 17
  • 18. Auditing the Execution of Setuid/Setgid Binaries ! Let’s say that as a matter of compliance, you have to audit the execution of setuid/setgid binaries on your system. ! How do you do set that up? ! First, run a script like this at boot time from /etc/rc.local sending the output to a temp file, /tmp/snorf, for example.! 18
  • 19. Auditing the Execution of Setuid/Setgid Binaries (1) ! ! ! #!/bin/bash! # Find all the file systems that are locally mounted! for i in `/bin/egrep '(ext4|ext3|ext2)' /etc/fstab | /bin/awk '{print $2}'`! do! # Find all the files on the file system found above and print out! # and audit rule for it! /usr/bin/find $i -xdev -type f ( -perm -4000 -o -perm -2000 ) -print | ! /bin/sort | /bin/awk '{ print ”-w " $1 " -p x -k privileged -k ids-exec-high" }'! done! 19
  • 20. Auditing the Execution of Setuid/Setgid Binaries (2) ! And you get something like this (YMMV depending on what’s installed). -a -w /bin/cgclassify -p x -k privileged -k ids-exec-high! -a -w /bin/cgexec -p x -k privileged -k ids-exec-high! -a -w /bin/ping -p x -k privileged -k ids-exec-high! -a -w /bin/ping6 -p x -k privileged -k ids-exec-high! -a -w /bin/su -p x -k privileged -k ids-exec-high! -a -w /sbin/mount.nfs -p x -k privileged -k ids-exec-high! -a -w /sbin/netreport -p x -k privileged -k ids-exec-high! -a -w /sbin/pam_timestamp_check -p x -k privileged -k ids-exec-high! -a -w /sbin/unix_chkpwd -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chage -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chfn -p x -k privileged -k ids-exec-high! -a -w /usr/bin/chsh -p x -k privileged -k ids-exec-high! -a -w /usr/bin/crontab -p x -k privileged -k ids-exec-high! -a -w /usr/bin/gpasswd -p x -k privileged -k ids-exec-high! -a -w /usr/bin/ksu -p x -k privileged -k ids-exec-high! 20
  • 21. Auditing the Execution of Setuid/Setgid Binaries (3) ! Then, point auditctl at the temp file to add the newly created audit rules. ! The auditctl program is used to control the behavior, get status, and add or delete rules into the kernel’s audit system. /sbin/auditctl –R /tmp/snorf ! A couple of things about auditctl: ! auditctl is not a filter, so output cannot be piped into it. ! Rules files for auditctl must be owned by root. 21
  • 22. System Call ! The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. ! Therefore, it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. ! You can help the performance, though, by combining syscalls into one rule whenever possible. ! Remember: First match wins! ! Syscall rules take the general form of: ! -a action,list -S syscall -F field=value -k keyname 22
  • 23. System Call (1) ! The -a option tells the kernel's rule matching engine that we want to append a rule and the end of the rule list. ! But we need to specify which rule list it goes on and what action to take when it triggers. ! The action and list are separated by a comma but no space in between. Valid lists are: task, entry, exit, user, and exclude. ! Valid actions are: ! always - always create an event ! never - never create an event 23
  • 24. System Call (2) ! Next in the rule is the -S option specifying either a syscall name or number. Usually, the name is almost always used. You may give more than one syscall in a rule by specifying another -S option. ! After the syscall is specified, you would normally have one or more -F options that fine tune what to match against. ! The audit system considers uids to be unsigned numbers. The audit system uses the number -1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. ! The last thing about syscall rules is that you can add a keyname which is a free form text string that you want inserted into the event to help identify its meaning. 24
  • 25. Syscall Audit Rules Examples ! To see files opened by a specific user: -a exit,always -S open -F auid=l337! ! To see unsuccessful open calls: -a exit,always -S open -F success=0! 25
  • 26. Record Attempts to Alter System Time ! Hackers frequently tinker with the system time to hid their actions. Use system call auditing to create audit rules to record changes to the system time. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules! -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k -audit_time_rules! -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules! -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules! 26
  • 27. Creating Audit Reports ! The audit records are stored in /var/log/audit/audit.log. ! grep is your friend and you can pull stuff out of the audit log and get stuff like this: ! type=SYSCALL msg=audit(1365719016.212:333043): arch=c000003e syscall=171 success=yes exit=0 a0=7fff86310c37 a1=6 a2=d a3=7fff8630f3b0 items=0 ppid=22300 pid=22311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37491 comm="domainname" exe="/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=73797374656D2D6C6F63616C65016964732D7379732D6C6F77! ! Maybe grep isn’t your friend, after all. ! The raw audit data auditd stores in the /var/log/audit directory is quite complex. ! To find what you want, you might have to sift through bazillions of other events before you locate the one that you want. 27
  • 28. Creating Audit Reports (1) ! Use aureport to create concise, human-readable reports. ! Some of the useful options are: ! --summary ! --failed ! --start and --end (aureport understands today, yesterday, now, recent, this-week, this-month, and this-year) ! --auth, --avc, --login, --user, --executable, --syscall ! To get started, do aureport –summary and you get something like this: 28
  • 29. Creating Audit Reports (2) Summary Report! ======================! Range of time in logs: 08/09/2015 02:28:36.498 - 10/02/2015 18:07:38.737! Selected time for report: 08/09/2015 02:28:36 - 10/02/2015 18:07:38.737! Number of changes in configuration: 0! Number of changes to accounts, groups, or roles: 4! Number of logins: 16! Number of failed logins: 13134! Number of authentications: 59! Number of failed authentications: 46567! Number of users: 9! Number of terminals: 18! Number of host names: 1139! Number of executables: 14! Number of files: 0! Number of AVC's: 0! Number of MAC events: 0! Number of failed syscalls: 0! Number of anomaly events: 0! Number of responses to anomaly events: 0! Number of crypto events: 50419! Number of keys: 0! Number of process IDs: 25791! Number of events: 129193! 29
  • 30. Creating Audit Reports (3) ! Lets look at some of the failed logins with aureport –auth –failed: Login Report! ============================================! # date time auid host term exe success event! ============================================! 1. 09/23/2015 19:53:04 send 195.4.234.9 sshd /usr/sbin/sshd no 2469819! 2. 09/23/2015 19:53:06 send 195.4.234.9 sshd /usr/sbin/sshd no 2469821! 3. 09/23/2015 19:53:10 root 195.4.234.9 sshd /usr/sbin/sshd no 2469825! 4. 09/23/2015 19:53:12 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469828! 5. 09/23/2015 19:53:14 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469830! 6. 09/23/2015 19:56:37 root 218.65.30.217 sshd /usr/sbin/sshd no 2469852! 7. 09/23/2015 19:56:40 root 218.65.30.217 sshd /usr/sbin/sshd no 2469854! 8. 09/23/2015 19:56:42 root 218.65.30.217 sshd /usr/sbin/sshd no 2469856! 9. 09/23/2015 21:34:52 ubnt 222.186.21.154 sshd /usr/sbin/sshd no 2470589! 10. 09/23/2015 21:34:54 ubnt 222.186.21.154 sshd /usr/sbin/sshd no 2470591! 11. 09/24/2015 00:25:15 root 218.4.117.26 sshd /usr/sbin/sshd no 2471855! 12. 09/24/2015 00:25:17 pi 218.4.117.26 sshd /usr/sbin/sshd no 2471858! 13. 09/24/2015 00:25:19 pi 218.4.117.26 sshd /usr/sbin/sshd no 2471860! 14. 09/24/2015 00:25:21 test 218.4.117.26 sshd /usr/sbin/sshd no 2471863! 15. 09/24/2015 00:25:23 test 218.4.117.26 sshd /usr/sbin/sshd no 2471865! 30
  • 31. Drilling Deeper with ausearch ! aureport lets you to create overall summaries of what is happening on the system, but if you want to drill deeper into the details of a particular event, ausearch is the tool to use. ! ausearch allows you to search the audit logs using special keys and search phrases that relate to most of the flags that appear in event messages in /var/log/audit/ audit.log ! A methodology to use is find an event class of interest with aureport and then drill down into the nitty-gritty with ausearch. ! For instance, you use aureport –syscall –failed to see the failed system calls. Use ausearch and one of the event ids to get more information. 31
  • 32. Drilling Deeper with ausearch (1) ! From aureport –syscall –fail we get: Syscall Report! =======================================! # date time syscall pid comm auid event! =======================================! 1. 10/02/2015 15:26:16 2 5630 cp 25016 306512! ! From ausearch –i –a 306512 we get: ----! type=PATH msg=audit(10/02/2015 15:26:16.299:306512) : item=0 name=/etc/shadow inode=394070 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL! type=CWD msg=audit(10/02/2015 15:26:16.299:306512) : cwd=/home/dr-horrible! type=SYSCALL msg=audit(10/02/2015 15:26:16.299:306512) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffde2dd8739 a1=O_WRONLY|O_TRUNC a2=0x0 a3=0x7ffde2dd6bd0 items=1 ppid=27491 pid=5630 auid=dr-horrible uid=dr-horrible gid=users euid=dr-horrible suid=dr-horrible fsuid=dr-horrible egid=users sgid=users fsgid=users tty=pts0 ses=16292 comm=cp exe=/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 key=identity! ! 32
  • 33. Drilling Deeper with ausearch (2) ! A useful feature, if you tagged your audit rules with keys, is to search for events based on those keys. ! For instance, ausearch –ts today –i –k identity and we get: type=PATH msg=audit(10/02/2015 15:26:16.299:306512) : item=0 name=/etc/ shadow inode=394070 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL! type=CWD msg=audit(10/02/2015 15:26:16.299:306512) : cwd=/home/dr-horrible! type=SYSCALL msg=audit(10/02/2015 15:26:16.299:306512) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffde2dd8739 a1=O_WRONLY|O_TRUNC a2=0x0 a3=0x7ffde2dd6bd0 items=1 ppid=27491 pid=5630 auid=dr-horrible uid=dr-horrible gid=users euid=dr-horrible suid=dr-horrible fsuid=dr-horrible egid=users sgid=users fsgid=users tty=pts0 ses=16292 comm=cp exe=/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 key=identity! 33
  • 34. Advanced Rule Writing: The Evil Sysadmin ! You suspect a sysadmin acting as “root” is trawling thru the /home file system looking for intellectual property to sell to competitors. Write an audit rule(s) that will record root trawling. ! The way to do this is use the –C option to build an inter- field comparison rule: ! -a exit,always -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin-access! ! ! 34
  • 35. Advanced Rule Writing: The Evil Sysadmin (1) ! Since there was no explicit syscall referenced in the rule, all syscalls are tested against this rule. ! This might could be a significant performance hit. ! A better way of doing this would be: -a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F dir=/home/ -F uid=0 -C auid!=obj_uid -F auid>=500 -F auid!=4294967295 -k admin-access! -a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F dir=/home/ -F uid=0 -C auid!=obj_uid -F auid>=500 -F auid!=4294967295 -k admin-access! 35
  • 36. Advanced Rule Writing: Setuid Programs ! Recall the script that writes audit rules to find setuid executables. How do you record the execution of a setuid program that is put someplace you don’t expect it? ! Write a audit rule(s) to catch the execution of a setuid program regardless of its location. -a always,exit -F arch=b64 -S execve -F euid=0 -C uid!=euid! 36
  • 37. Visualizing Audit Data ! Recall the listing from aureport of the failed logins: Login Report! ============================================! # date time auid host term exe success event! ============================================! 1. 09/23/2015 19:53:04 send 195.4.234.9 sshd /usr/sbin/sshd no 2469819! 2. 09/23/2015 19:53:06 send 195.4.234.9 sshd /usr/sbin/sshd no 2469821! 3. 09/23/2015 19:53:10 root 195.4.234.9 sshd /usr/sbin/sshd no 2469825! 4. 09/23/2015 19:53:12 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469828! 5. 09/23/2015 19:53:14 ts 195.4.234.9 sshd /usr/sbin/sshd no 2469830! 6. 09/23/2015 19:56:37 root 218.65.30.217 sshd /usr/sbin/sshd no 2469852! ! We can extract fields from the report with any of the text manipulation tools in Linux to produce a column of usernames, IP addresses, etc. that can be feed into a word cloud generator to create graphs of the data. 37
  • 40. Resources ! The Audit Manual Pages ! There are several man pages installed along with the audit tools that provide valuable and very detailed information: ! auditd(8) The Linux Audit daemon ! auditd.conf(5) The Linux Audit daemon configuration file ! auditctl(8) A utility to assist controlling the kernel's audit system ! autrace(8) A program similar to strace ! ausearch(8) A tool to query audit daemon logs ! aureport(8) A tool that produces summary reports of audit daemon logs ! audispd.conf(5) The audit event dispatcher configuration file ! audispd(8) The audit event dispatcher daemon talking to plugin programs. ! augenrules(8) – A script that merges component audit rule files 40
  • 41. Resources (1) ! http://people.redhat.com/sgrubb/audit/index.html The home page of the Linux audit project. This site contains several specifications relating to different aspects of Linux audit, as well as a short FAQ. ! /usr/share/doc/audit The audit package itself contains a README with basic design information and sample .rules files for different scenarios: ! capp.rules: Controlled Access Protection Profile (CAPP) ! lspp.rules: Labeled Security Protection Profile (LSPP) ! nispom.rules: National Industrial Security Program Operating Manual Chapter 8(NISPOM) ! stig.rules: Secure Technical Implementation Guide (STIG) ! Word Cloud Generator: http://www.wordclouds.com/ 41
  • 42. T-t-t-t-that’s all, folks! 42 Gary Smith Information System Security Officer, Molecular Science Computing, EMSL, Pacific Northwest National Laboratory Richland, WA gary.smith@pnnl.gov