auditd

auditd components

• auditctl
  • Configure and manage audit rules.
• aureport
  • Generate reports from audit logs.
• aushell
  • Interactively process audit event data.
• auditd
  • The daemon that collects audit data.
• auditd.rules
  • Configuration file for defining audit rules.
• auditd.conf
  • Configuration file for the auditd daemon.

install and configure auditd

# instal
apt install auditd

# create your auditd rules and paste it into
vim /etc/auditd/rules.d/auditd.rules

# restart auditd
systemscl restart auditd

auditdctl

# status
auditctl -s

# show all enabled rules
auditctl -l

ausearch

• redhat.com - 7.7. Searching the Audit Log Files

# search for failed login attempts
ausearch --message USER_LOGIN --success no --interpret

# search for account, group and role change
ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i

## all events for one user
ausearch -ua 500 -i

aureport

• generate reports and summaries from audit logs on a Linux system
• redhat.com - 7.8. Creating Audit Reports

# generate a report of all executable file events
aureport -x
aureport -x --summary

# generate basic report
aureport -l

# combine with ausearch
ausearch --start today --loginuid 500 --raw | aureport -f --summary

# filter reports
aureport -l -ts today -te now

## filtering options
-ts <start-time>: Filter by start time. (today, yesterday, "2023-10-14 00:00:00" ...)
-te <end-time>: Filter by end time.
-a <user/group>: Filter by user or group.
-i <terminal>: Filter by terminal.
-t <event-type>: Filter by event type. (EXECVE, LOGIN, USER_ACCT...)
-f <file/directory>: Filter by file or directory.
-p <process-id>: Filter by process ID.
-r <remote-host>: Filter by remote host.

auditd.rules

writing auditd rules

• best post I found to understand auditd rules
  • redhat.com: 7.6. Understanding Audit Log Files

-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess

-a: Specifies the action to take
    -a always: Always generates audit events when conditions are met.
    -a never: Never generates audit events, effectively disabling auditing.
    -a entry: Logs when an event or system call starts.
    -a exit: Logs when an event or system call completes.
    -a task: Logs process lifecycle events (creation and termination).
-F: Defines filter fields and conditions. In the example above:
    arch=b64: Filters events for a 64-bit architecture.
-S open: Monitors the "open" system call.
-k keyname

references

• redhat.com: 7.6. Understanding Audit Log Files
• redhat.com: configure linux auditid auditd
• redhat.com: understanding Auditd log findes
• Vortrag DFN 2022 Auditd
• Detecting Webshells
• Detecting Exloits
• Florian Roth: example rules
• A Linux Auditd rule set mapped to MITRE’s Attack Framework