Audit Oracle Linux with Auditd
Auditd is a userspace system daemon that runs in the background generating logs about different activities performed on Oracle Linux.
This tutorial guides you through installation, configuration, and using auditd.
Objectives
In this lab, you’ll learn to:
- Install the audit packages
- Manage the audit service
- Create audit rules
- Search the audit logs
Prerequisites
- A system with Oracle Linux 8 installed with the following configuration:
- a non-root user with sudo permissions
Install the Audit Package
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Oracle Linux installs the audit package by default.
If not already connected, open a terminal and connect via ssh to the ol8-server system.
Check if the system preinstalled the audit package.
sudo dnf list installed "audit"
If it’s not on the system, install it.
The default configuration file for the auditd daemon is located at /etc/audit/auditd.conf .
Manage the Audit Service
Once the audit package installs, then start the auditd service. First, check the current status.
sudo systemctl status auditd
[oracle@ol8-server ~]$ sudo systemctl status auditd * auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor pres> Active: active (running) since Fri 2022-04-01 23:59:52 GMT; 2min 38s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Main PID: 1385 (auditd) Tasks: 2 (limit: 100140) Memory: 2.5M CGroup: /system.slice/auditd.service `-1385 /sbin/auditd Apr 01 23:59:52 localhost.localdomain augenrules[1388]: backlog_wait_time 60000 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: enabled 1 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: failure 1 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: pid 1385 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: rate_limit 0 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: backlog_limit 8192 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: lost 0 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: backlog 0 Apr 01 23:59:52 localhost.localdomain augenrules[1388]: backlog_wait_time 60000 Apr 01 23:59:52 localhost.localdomain systemd[1]: Started Security Auditing Ser> lines 1-21/21 (END)
The output shows the service is (running) and enabled .
The enabled status indicates we configured the service to start at boot time. If this is not the case, start the service as the root user to collect Audit information and write it to the logs.
sudo service auditd start
Configure auditd to start at boot time.
sudo systemctl enable auditd
Note: The only way to appropriately interact with the auditd daemon uses the service command.
The service command ensures recording the auid value. Use the systemctl command only with the enable and status actions.
Temporarily Enable and Disable Auditing
The Audit control utility, auditctl , interacts with the kernel Audit component to manage rules and control many settings and parameters of the event generation process.
Check the status of the kernel Audit subsystem.
[oracle@ol8-server ~]$ sudo auditctl -s enabled 1 failure 1 pid 1399 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 loginuid_immutable 0 unlocked
Temporarily disable auditd .
Note: The pid shows the auditd service process id. A pid value of 0 indicates the service is not running.
The auditctl -e enable flag also accepts a value of 2 , which locks the audit configuration.
If the audit configuration is locked in this manner, a reboot is required to unlock it. More details are available in man auditctl .
Locate Audit Rules and Logs
By default, Oracle Linux stores the audit logs in /var/log/audit/audit.log .
The audit rules are located in /ect/audit/audit.rules . Oracle Linux generates the default ruleset from the file /etc/audit/rules.d/audit.rules .
sudo cat /etc/audit/audit.rules
sudo cat /etc/audit/rules.d/audit.rules
## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1
Rules with Audit Control Utility
Use the auditctl program to control the behavior, get status, and add or delete rules.
Add an audit rule which logs any attempt to read or modify the /etc/ssh/sshd_config file.
sudo auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config
- -w : Creates a watch at the given path.
- -p : Sets permissions [read,write,execute,attribute] that trigger the watch.
- -k : Sets a key filter that uniquely identifies the audit records produced by a rule.
New rules get added to the bottom of the list, but it’s also possible to add them to the top.
Check if the new rule got added into the /etc/audit/audit.rules file.
sudo cat /etc/audit/audit.rules
[oracle@ol8-server ~]$ sudo cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 --backlog_wait_time 60000
The rule does not appear in the file. Why not?
Rules created by auditctl don’t add to the audit.rules file. Therefore, these changes are transient and don’t survive a system reboot.
Make the rule permanent by adding it to a custom ruleset file in /etc/audit/rules.d/my.rules . The format of the added rule matches the syntax of the auditctl command without using auditctl . Rules should be written per line and combined to optimize performance.
sudo tee /etc/audit/rules.d/my.rules > /dev/null 'EOF' -w /etc/ssh/sshd_config -p rwxa -k sshd_config EOF
sudo cat /etc/audit/rules.d/my.rules
The command returns, cat: /etc/ssh/sshd_config: Permission denied , and generates the below event in the audit.log .
sudo cat /var/log/audit/audit.log | grep sshd_config
type=CONFIG_CHANGE msg=audit(1648918923.746:266810): auid=1001 ses=15792 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="sshd_config" list=4 res=1AUID="oracle" type=SYSCALL msg=audit(1648923583.793:268315): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd08b6c575 > a2=0 a3=0 items=1 ppid=3406680 pid=3428336 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=15792 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"ARCH=x86_64 SYSCALL=openat AUID="oracle" UID="oracle" GID="oracle" EUID="oracle" SUID="oracle" FSUID="oracle" EGID="oracle" SGID="oracle" FSGID="oracle" type=PATH msg=audit(1648923583.793:268315): item=0 name="/etc/ssh/sshd_config" inode=67688941 dev=fc:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
Search Audit Logs
Another way to search the logs is to use the ausearch command.
Get the same information using this command.
sudo ausearch --key sshd_config
Email option is specified but /usr/lib/sendmail doesn't seem executable. ---- time->Sat Apr 2 17:02:03 2022 type=CONFIG_CHANGE msg=audit(1648918923.746:266810): auid=1001 ses=15792 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="sshd_config" list=4 res=1 ---- time->Sat Apr 2 18:19:43 2022 type=PROCTITLE msg=audit(1648923583.793:268315): proctitle=636174002F6574632F7373682F737368645F636F6E666967 type=PATH msg=audit(1648923583.793:268315): item=0 name="/etc/ssh/sshd_config" inode=67688941 dev=fc:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1648923583.793:268315): cwd="/home/oracle" type=SYSCALL msg=audit(1648923583.793:268315): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd08b6c575 > a2=0 a3=0 items=1 ppid=3406680 pid=3428336 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=15792 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
The output from ausearch is easier to use and read based on the output format. We can add to the ease of reading the log by adding the -i or —interpret option. This option interprets numeric entities into text, such as converting a uid to an account name.
sudo ausearch -i -k sshd_config
Email option is specified but /usr/lib/sendmail doesn't seem executable. ---- type=CONFIG_CHANGE msg=audit(04/02/2022 17:02:03.746:266810) : auid=oracle ses=15792 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=sshd_config list=exit res=yes ---- type=PROCTITLE msg=audit(04/02/2022 18:19:43.793:268315) : proctitle=cat /etc/ssh/sshd_config type=PATH msg=audit(04/02/2022 18:19:43.793:268315) : item=0 name=/etc/ssh/sshd_config inode=67688941 dev=fc:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/02/2022 18:19:43.793:268315) : cwd=/home/oracle type=SYSCALL msg=audit(04/02/2022 18:19:43.793:268315) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd08b6c575 a2=O_RDONLY a3=0x0 items=1 ppid=3406680 pid=3428336 auid=oracle uid=oracle gid=oracle euid=oracle suid=oracle fsuid=oracle egid=oracle sgid=oracle fsgid=oracle tty=pts0 ses=15792 comm=cat exe=/ usr/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sshd_config
For more formatting options and ways to search the audit.log , see man ausearch .
Load Pre-Configured Rules
Oracle Linux provides a script that merges all component audit rules files found in /etc/audit/rules.d . After merging, the new file replaces the existing /etc/audit/audit.rules . This script is built into the auditd service file and runs when the service starts.
Check if there are any existing rule changes to load.
The output states, Rules have changed and should be updated . This change is due to our previously created my.rules file located in /etc/audit/rules.d .
Delete the previously added sshd_config custom rule to track the new rule additions easily.
sudo auditctl -D -k sshd_config
Merge the my.rules custom rule file.
[oracle@ol8-server ~]$ sudo augenrules --load No rules enabled 1 failure 1 pid 1395 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 enabled 1 failure 1 pid 1395 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 enabled 1 failure 1 pid 1395 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000
Check the active audit rules.
[oracle@ol-lab-2022-03-23-182415-0 ~]$ sudo auditctl -l -w /etc/ssh/sshd_config -p rwxa -k sshd_config
Add additional rules to a new file, new.rules .
Note: Only files ending in .rules are read by augenrules and loaded.
sudo tee /etc/audit/rules.d/new.rules > /dev/null 'EOF' -w /etc/passwd -p wa -k passwd_changes -w /etc/selinux/ -p wa -k selinux_changes EOF
The new rules are loaded and merged into the audit.rules file.
sudo cat /etc/audit/audit.rules
The system made a backup file /etc/audit/audit.rules.prev as part of the merge.
Information provided by the Oracle Linux Auditing System aids with intrusion detection.
Check out the man pages for the utilities shown. Then use what you learned to add custom audit rules to your system for particular logging events.
For More Information
See other related resources:
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Audit Oracle Linux with Auditd
Copyright © 2022, Oracle and/or its affiliates.