Auditd

Auditd Components

• auditctl
  Configure and manage audit rules.
• aureport
  Generate reports from audit logs.
• aushell
  Interactively process audit event data.
• auditd
  The daemon that collects audit data.
• auditd.rules
  Configuration file for defining audit rules.
• auditd.conf
  Configuration file for the auditd daemon.

Install and Configure Auditd

# Install
apt install auditd

# Create your auditd rules and paste them into
vim /etc/auditd/rules.d/auditd.rules

# Restart auditd
systemctl restart auditd

auditctl

# Check status
auditctl -s

# Show all enabled rules
auditctl -l

ausearch

• Red Hat - Searching the Audit Log Files

# Search for failed login attempts
ausearch --message USER_LOGIN --success no --interpret

# Search for account, group, and role changes
ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i

# All events for one user
ausearch -ua 500 -i

aureport

• Generate reports and summaries from audit logs on a Linux system.
• Red Hat - Creating Audit Reports

# Generate a report of all executable file events
aureport -x
aureport -x --summary

# Generate a basic report
aureport -l

# Combine with ausearch
ausearch --start today --loginuid 500 --raw | aureport -f --summary

# Filter reports
aureport -l -ts today -te now

## Filtering options
-ts <start-time>: Filter by start time (e.g., today, yesterday, "2023-10-14 00:00:00").
-te <end-time>: Filter by end time.
-a <user/group>: Filter by user or group.
-i <terminal>: Filter by terminal.
-t <event-type>: Filter by event type (e.g., EXECVE, LOGIN, USER_ACCT).
-f <file/directory>: Filter by file or directory.
-p <process-id>: Filter by process ID.
-r <remote-host>: Filter by remote host.

auditd.rules

Writing Auditd Rules

• Best post I found to understand auditd rules:
  Red Hat - Understanding Audit Log Files

-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess

# Explanation:
-a: Specifies the action to take.
    -a always: Always generates audit events when conditions are met.
    -a never: Never generates audit events, effectively disabling auditing.
    -a entry: Logs when an event or system call starts.
    -a exit: Logs when an event or system call completes.
    -a task: Logs process lifecycle events (creation and termination).
-F: Defines filter fields and conditions. In the example above:
    arch=b64: Filters events for a 64-bit architecture.
    -S open: Monitors the "open" system call.
-k keyname: Assigns a key name to the rule for easier identification.

References

• Red Hat - Understanding Audit Log Files
• Red Hat - Configure Linux Auditd
• Red Hat - Understanding Auditd Log Files
• DFN 2022 Auditd Presentation
• Detecting Webshells
• Detecting Exploits
• Florian Roth - Example Rules
• Auditd Rule Set Mapped to MITRE ATT&CK