Friday, September 1, 2017

17 - Linux Security: system auditing with Audit Daemon (AuditD)


- Layout for this exercise:

1 - Introduction to AuditD

- The Linux Audit Daemon (AuditD) is a framework to allow security auditing events on a Linux system by keeping record of system events and also reporting capabilities.

- auditD can track many event types to monitor and audit the system. For instance:
  • audit file access and modification
  • see who changed a particular file
  • detect unauthorized changes
  • monitoring of system calls and functions
  • detect anomalies like crashing processes
  • set tripwires for intrusion detection purposes
  • record commands used by individual users

- auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. 

- Viewing the logs is done with the ausearch or aureport utilities. Finding the related event or access to the file can be quickly traced by using the ausearch tool.

- The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

- Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl. 

- Configuring options for auditctl:

-f: leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.
-l: allow the audit daemon to follow symlinks for config files.
-n: no fork. This is useful for running off of inittab
-s=ENABLE_STATE: specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange".

- By defining the path option, we instruct the audit framework what directory or file to watch for. 

- The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two. 

- The four options are:

r = read
w = write
x = execute
a = attribute change

2 - Installing and configuring auditd

- Installing auditd and related plugins and dependencies:

- Manual for auditd:

- Checking that auditd service is active:

- At this initial moment there is no rule added to auditd:

3 - Adding a rule for /etc folder configuration

- Adding the rule (-w=write over /etc with parameters read, write, execute, attribute change):

- Listing the rule:

- Now, let's modify the /etc folder by creating a new text file:

- ausearch is a tool that queries the auditd logs based on events. In this case, the parameter (-f /etc/) indicates to search for an event based on the given filename (-f):

- The user id corresponds to the root:

4 - Making rules permanent after restarting auditd service

- One of the issues with auditctl is that changes to rules are not permanent and will go away whenever the audit service is restarted. 

- To avoid this circumstance the file /etc/audit/rules.d/audit.rules must be edited.

- Restarting the service:

- Now the rule is gone after the restart:

- Editing the audit.rules configuration file by adding a rule:

- Restarting the service auditd:

- However, now the rule is still there:

5 - Adding a rule for the SSH service

- Adding a new rule for the SSH service:

- Listing the current rules:

- Editing the SSH configuration file, the current permission root login is set to "yes":

- Replacing the PermitRootLogin directive value to "no":

- Searching with ausearch the command nano used over the sshd_configuration file is found:

- As expected the user ID corresponds to the root: