Audit - something you have, something you do not know, part 1

Audit subsystem is installed usually on each Linux, but very often not used. In this article will try to show you what you can do with it. Be aware here will be used CentOS/RHEL, so the commands and files in your Linux may differ and you should consult documentation
1. Instalation. Lets check if the package is installed (usually it is)
[root@centos ~]# rpm -q audit
audit-1.7.17-3.el5


In this case the package is installed, but if you do not have it you can install with command
you install audit

Here are prerequisites for the package (nothing unusual)
[root@centos ~]# rpm -qR audit
/bin/bash
/bin/sh
/bin/sh
/bin/sh
audit-libs = 1.7.17-3.el5
chkconfig
config(audit) = 1.7.17-3.el5
coreutils
libaudit.so.0
libauparse.so.0
libc.so.6
libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1)
libc.so.6(GLIBC_2.1.3)
libc.so.6(GLIBC_2.2)
libc.so.6(GLIBC_2.3)
libc.so.6(GLIBC_2.3.2)
libc.so.6(GLIBC_2.3.4)
libc.so.6(GLIBC_2.4)
libm.so.6
libm.so.6(GLIBC_2.0)
libnsl.so.1
libpthread.so.0
libpthread.so.0(GLIBC_2.0)
libpthread.so.0(GLIBC_2.1)
libpthread.so.0(GLIBC_2.3.2)
librt.so.1
libwrap.so.0
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)


2. Next step is to check if audit daemon is started
[root@centos ~]# service auditd status
auditd (pid  1432) is running...


if it is not you can start it with
[root@centos ~]# service auditd start
Starting auditd:
[ OK ]

3. Configuration. One important point is to decide do you want to monitor system call or not. I will set to yes setting in file /etc/sysconfig/auditd will add line (or change if its exist)
AUDITD_DISABLE_CONTEXTS="no"

and restart the daemon
Next we should set where will be located audit log file. This is done in /etc/audit/auditd.conf with parameter log_file in format
log_file = /path/file

for example in my config this is
[root@centos ~]# grep ^log_file  /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log


In some high security environments you will want to create dedicated filesystem for audit log files and you should care if this filesystem become full. This is done by parameter in /etc/audit/auditd.conf file
disk_full_action

This parameter can have values: ignore, syslog, exec, suspend, single, and halt
ignore - do nothing
syslog - write warning to syslog
exec /path/to/script - execute script
suspend - stop audit daemon for writing to disk
single - put server in single user mode
halt - shutdown the server
Of course there are many other parameters,but i just touch the most important (in my understanding)

4. Check the current situation
4.1. List current rules
[root@centos ~]# auditctl -l
No rules

4.2. Check current status
[root@centos ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=2062 rate_limit=0 backlog_limit=320 lost=0 backlog=0

No comments:

Post a Comment

Compressed tar archive

There are some cases when you want to create compressed tar archive but you do not have enough disk space to keep original files and tar arc...