SYSTEM AUDITING WITH AUDIT DAEMON (AUDITD)
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihgvGeHcNbnaC-IkVIkgpWu1UmsbhMeblY8na3XHkgWAhfy-bOnQxnZYhqA7jfpzSIF1WxqpfU0Xx8YDcwGYbTOf5tyjeR7jiF12jGaXppr84-9wL4A-sD_gZj1LZ-8iyRewkCMU3GmSIu/s1600/debian.jpg)
1 - Introduction to AuditD
- The Linux Audit Daemon (AuditD) is a framework to allow security auditing events on a Linux system by keeping record of system events and also reporting capabilities.
- auditD can track many event types to monitor and audit the system. For instance:
- audit file access and modification
- see who changed a particular file
- detect unauthorized changes
- monitoring of system calls and functions
- detect anomalies like crashing processes
- set tripwires for intrusion detection purposes
- record commands used by individual users
- auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk.
- Viewing the logs is done with the ausearch or aureport utilities. Finding the related event or access to the file can be quickly traced by using the ausearch tool.
- The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.
- Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl.
- Configuring options for auditctl:
-f: leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.
-l: allow the audit daemon to follow symlinks for config files.
-n: no fork. This is useful for running off of inittab
-s=ENABLE_STATE: specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange".
- By defining the path option, we instruct the audit framework what directory or file to watch for.
- The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two.
- The four options are:
r = read
w = write
x = execute
a = attribute change
2 - Installing and configuring auditd
- Installing auditd and related plugins and dependencies:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNiM-cajgJCpmH7g-HeHhPgskNnBkXXLIl8_6XWythMz9SCDJbGoNo_-wVYpaizl-fuFb1-x32dhZlVJhBiHy_L5EtAwOTq-bj_QhcNIO29IDkqZ979jmKGgdDzgBThH37670LrptmzxcC/s1600/screenshot.1.jpg)
- Manual for auditd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtfnPRxfZYHLCWd9GHuDsz1fJ4_xyGKD5EFHs2NIMywpaDcfNn3AmeVOG-Xl13gnPDbeqmKIvrpp2u2R9ud04yj-YYNyDI5iSKOjCUlxoX7o1X4wLzCKkrDvNHZcnuI4xEasunTD6VM0bL/s400/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizuJeVsEE2P-e7gbUIhigGqS8zxE-lWuS028F6fL5zsl_-6ID9fpjzasf8S4N9kemz7PxU6RlMZ3bCAw0-_SJNRu_DuO_IJuRDw6HH2Rmjio5IFitda_EagK9UOwRrXR4qjB01swRe6w-e/s1600/screenshot.2.jpg)
- Checking that auditd service is active:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLIXS7ehGzRhv3-hPjBf1Z7fp2M7iWG-LvQFMKSlNIdYRxiVcWPGUxe7OycNVxet3oUF_ygWbfVPcJSRUM48OkD_0vaf9IlgCyMwG5QR-pVNQl_P2HeiDvIong0llEMwC9serv_-hJnTX-/s1600/screenshot.5.jpg)
- At this initial moment there is no rule added to auditd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMhx7_7bfErodYy5Zrhts4PRsesd0XPtT1YpFElebx_gS1G83Q6KzuOcQNUICEbDXriD76O6aNmKylW0qg1GT2BbnIw1PxT-zo2cp87vP2r9RCkKChycaG38gTisV2t3pcYAGg6Jpqqq9E/s400/screenshot.4.jpg)
3 - Adding a rule for /etc folder configuration
- Adding the rule (-w=write over /etc with parameters read, write, execute, attribute change):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkBJS_FWcKTaEDj2aHcMLbrRwxdNyADTp9wI4iKlUylcdbuLab7OMu9ixfGy4s3zs_BUt8qBJOXROGTaodiumIndUBTL077FPJil37CfxZnvsh4GUAaumt6pIl4hLkj0XCFinB8a739gN6/s1600/screenshot.7.jpg)
- Listing the rule:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimPqVix5l06jHVe7a3a1qdYTEODqocTDBMOJYd1VHq1YeI3SeDo6r8xVRAj1z_bCXQnTuDiBxKkYjC5xOI-GRk27K4d7kTgjkUwrvfWEs-n5NOQM8XhtfVLhUghpkee9APBpVjY-kZybAd/s400/screenshot.8.jpg)
- Now, let's modify the /etc folder by creating a new text file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz-BWdm5IgJOMC3M3adlHGB5uR82U4j59MICGELhMMeHLQWT3iFE8D32gju4nSV0NIvE1B4kntyHS9Sta4BxJciaELgbL3Dnw1llCprWANUsuXvjAU3jpeFAxUx8shiEWLBH3fQGJRF1_9/s1600/screenshot.10.jpg)
- ausearch is a tool that queries the auditd logs based on events. In this case, the parameter (-f /etc/) indicates to search for an event based on the given filename (-f):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7A8niEOeoRu7DhCtOMLJmqtYtZRH99ZcTSdFdp7yIZbDTCMgZaJlgzfjBfi7Dhik_CaSKM6BdLN1vgQ1f3EMpCHh21w2haud_zl2tRV6tq2lgdQW2LMw159NnROrjMLflZgQ9twYkrtjp/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQybNAjcWaN6KcHryMAddvvBsvHX9dLs5hIsUvAu4KntQ6aaayWMgcFr8kTYz8_1YTh-tlCgTttd1dN4QxtMrr2Y3fRZ7XuDOo5CYTGZEUXG-2gVRPv5pIfM1ErhgjQ4LplMpN6stAJPMH/s1600/screenshot.12.jpg)
- The user id corresponds to the root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguRkWVvfuIuFPhoUE7EKcg0rXborWUu-euvYiEwPrPrlIR33t-vNa-NB7MsQaefcqPFE5IwCHNbSoB3XQag_5AD6U45jOal2d2FINEkDUlZLWniYE2cwtGU45TVDDOhvqdC_RpgLAFnWUY/s400/screenshot.13.jpg)
4 - Making rules permanent after restarting auditd service
- One of the issues with auditctl is that changes to rules are not permanent and will go away whenever the audit service is restarted.
- To avoid this circumstance the file /etc/audit/rules.d/audit.rules must be edited.
- Restarting the service:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPxXdnW9nv6sWX927Yll4bUMx3ToTUbpAagKSmnokSJNeaACB3xIFm6Q7kY7pLkeFIDv8QJs7k-uwyBVd2_VRIEDQ-ptaNFu55fd38ymldPzEVKUwuKvyLCOhNrSMWdPLuh11Q4HiIHx0S/s1600/screenshot.17.jpg)
- Now the rule is gone after the restart:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD3sd6yQqDIzM3yA7VLE3WgfttnpfRcS0LfHk1-SjgBTOSJjYioyIHRoxwVMusIA1xdv96dIotJbdfWVPJL6YyQkIOmKs-FD8SgS4chbSexPsl61WQ_ChsXPg_Ah4kmxjnyOdr9e_mfoIa/s400/screenshot.19.jpg)
- Editing the audit.rules configuration file by adding a rule:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizgcCrEe01KsHlhWBi4SAiGLXenDtl-_imNpdA3ZrlfzeScaNWY95VudjlDiJbiPaRtPRGZpR1MqcVuJS58J58iguJKJR0DPRJs2HwHMWCjga6P8Q47cxQ8RIfBz-_dWjDY79OIw9th-xO/s1600/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5T1HMZhBTqTkmNwPBARU12V9nk0vIJHM2ejU9AAIXI3v5MP6xfgWkX9bHkbAqUvAEb4y0r1kFUa0sMKom8X1YwH0fDWXHgLuqVVUN0MG4sONUxqFJnhyejnglOnC6bN0eG4LwG5ar3TI-/s1600/screenshot.22.jpg)
- Restarting the service auditd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLixTxm_CSsa7jA3b6LjotryrGaHCko5C9iweIhsdpetMjP02CQRUDWdW0gR5HyPxzCudNAu4iySw373G5LcX57eS9P0EhbQ_ZjfyWvD8WhQHCZIlhrFJOKVZDvIzeOntnkH4LCw57D9mA/s1600/screenshot.17.jpg)
- However, now the rule is still there:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEXdnK0zAj02V-M6YQnzDRnZtRqQrrDS3Jw2KVdIPp34K7OFEJo2khBWrTpVQnImJXlZ8VDUoLLzw8G6tqgdJWjtFwCRtRGIwGSmGjKRdxph_qI6yvoMz8ENGUHOOsA2pak5o3VP1B2oaj/s1600/screenshot.23.jpg)
5 - Adding a rule for the SSH service
- Adding a new rule for the SSH service:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWIL5Xb4qA3YKvWQLxbC8cIbminaLn-HouDbEnRvGkBxamq76QyPYxcqDAtXT6F9OB8XL8Iceo8oxnd50FiKAnmIXGozl9INcyorT7lxSYkaTkAursJqxsPND1frG3Hxowwst66GS7G_ou/s1600/screenshot.24.jpg)
- Listing the current rules:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj78G9pgvlkhnn1xTKffCWcX0cXLTwmIDYHdrMtV24WMNFEax_Wq8v6RPB6T6VUCto23nMOzYLQvQ4Ram-F2R0p6qMnqky9j032BtCR6CZMqMCtJCECs6LvuX3i27o1oyTjq0OKKKg2wyxp/s1600/screenshot.25.jpg)
- Editing the SSH configuration file, the current permission root login is set to "yes":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOPiKD6FdHcWNNokAbxxoTbAxDPePXp954B_sZLQaJETKdosDgGrtIguU8sT4vUTIuSfUOZu0dLC1AP9jsEBnt_TAuArdEArK81qlguf6KbVSRX_H4yGtBagZih5GTlbhf7SEFY5M1MJKw/s1600/screenshot.27.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFSL-mer5q-D6eLrlFmyphtOkMz27awvs-_pstHzgfR-AJQf5wkA5LScssaERCyKFZhSXAQwZTng6vZ3iUwR_seRVVOZU5cKey5w7OW5KNAipYZqjRKWDZksuk3PrxujU9PSyVQNNmDkS7/s400/screenshot.28.jpg)
- Replacing the PermitRootLogin directive value to "no":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM-gKBZBXU1s6PPRAyjtvBzQ-6WmiiGPaby5aBAuAZiQWE1p0QvizrhXeg6n8gIT8ZYXuJU540prJkkZBd3DGv9HaYtxuOrqfvbavHbObqWIGges43cZGQRnwm5rGyOtKuZyxqYf3dw8eq/s400/screenshot.32.jpg)
- Searching with ausearch the command nano used over the sshd_configuration file is found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP6yYmFpDQpq0anGCIUHlIbO-gx13hW8u2QFGYiMCnRGotWFeoQNDB_ZXSJw2DYFqOCZw-4RUsHg2O5u68p-zubMfjyplCZxNt6T7zZOYJOcG2yGWWjhGFkU-6MGcjLXDiB86Wc2djaJGv/s1600/screenshot.36.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9UGirPM0zrwHTKjPWm12MQ6Tuw_wddd_78aus5sYzJyS2ksisZnEf4cf5oJYVgbUHQoeTOnSSdfXdV-kQ77MXx75tYHdfmjQyU4MUEts9Dl_MzCVb1g3ADA5VQdfr5XetqKgN5AvASwcB/s1600/screenshot.34.jpg)
- As expected the user ID corresponds to the root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVRPy_ENJTKqfg8QyRDTk8Hlc1af1lJ34lE5cItWwid5Vd7_cObp8AGyCnxn6iYTU-rXPHxtSU0JzhyR0nUp309uEIwbRiSo6fi07mqPpwI5oWUc1eeLJ0mszdRc_DHMdENsk_1_3pMWx2/s400/screenshot.35.jpg)