Linux audit framework
9
Linux Auditing Framework In 5 minutes
-
Upload
torstein-hansen -
Category
Software
-
view
25 -
download
0
Transcript of Linux audit framework
Linux Auditing Framework
In 5 minutes
About
● Included in RHEL4+ and all other linux distros (SuSE used their own product for SLES 9 but switched in SLES 10)
● Supports CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, STIG, EAL4+
● Minimal overhead, integrated with the linux kernel
● Support sudo/su etc and not not “possible” to bypass
● Can audit more or less everything● Hard to read audit logs
Rules
Examples rules:
/usr/share/doc/audit-2.2/capp.rules/usr/share/doc/audit-2.2/lspp.rules/usr/share/doc/audit-2.2/nispom.rules/usr/share/doc/audit-2.2/stig.rules
Commands
auditctl - Control script. Status, add/remove rules etcausearch - search in logsaureport - give an report
Easy example
auditctl -w /etc/passwd -p rwa -k "reading password file"
-w = File monitored-p = Permissions to monitor. Can be Read, Write, Execute or Append-k = Message in the logs
Easy example II
auditctl -w /tmp -p e -k "Someone is using /tmp"Checks if someone is using /tmp
auditctl -a entry,always -S all -F pid=1005Monitor everything a PID does...
auditctl -lshows current rules
Searching logsausearch -i -f /etc/passwdcould give:type=PATH msg=audit(07/15/2013 15:03:43.153:9090) : item=0 name=/etc/passwd inode=656631 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00type=CWD msg=audit(07/15/2013 15:03:43.153:9090) : cwd=/roottype=SYSCALL msg=audit(07/15/2013 15:03:43.153:9090) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffd13addf0 a1=0 a2=619908 a3=7fffd13ad560 items=1 ppid=1255 pid=1801 auid=torstein uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=grep exe=/bin/grep key=reading password file
An user (torstein) have used /bin/grep form the directory /root as the user root to view the file
Other searches
ausearch -ts 01/01/13 -k password-file
ausearch -ts today -k password-file -x rm (show's who deleted the password file today)
ausearch -ts today -k "reading password file" -ui 0 (check's who's been using root to check the password file)
More advanced
● Logs to /var/log/audit/● /etc/audit/auditd.conf is the config for the
daemon. Can be configured to halt on full disk or require reboot to change rules
● /etc/audit/audit.rules is the rules it will load on startup. See example files it ships.. But it could look like this:-w /etc/passwd -p wa -k identity
