Auditd

Auditd is an auditing deamon used in Linux. It is a very useful tool. By using this tool we can track the changes in a file, We can also track who and when accessed a file. Auditd demo usually runs in the background. The logs of the events are stored in the file /var/log/audit.log.Auditd is commonly used to to list all files which should be watched and search auditdā€™slogs from time to time.

Example:We can track changes like reading and writing in /etc/passwd file.Also we can track executing any files in /bin/examplefile.

We can configure the auditd deamon by using below commands.

1. auditctl>>> This command is used for configuring the auditd deamon. By using this command we can set a watch on any file. During startup, the rules in /etc/audit/audit.rules are read by audit ctl.

2.ausearch >> This command is used for searching the auditd logs.

3.aureport>> The output of the command will give the summarized report from the auditdlogs.

Files:
1. /etc/audit/audit.rules >> This file contains the auditctlrules.
2. /etc/audit/auditd.conf >> Auditd configuration file
3. /var/log/audit/audit.log >>Auditd log file

Auditd:Installation and Configuration

You can install auditd in the system by using ## sudo apt-get install audit or ## sudo yum install audit

StartAuditd>> /etc/init.d/auditdstart

## Configuring Auditdby adding rules in /etc/audit/audit.rules.
## Set a watch on a file by using auditctl
## auditctl -w /etc/passwd -pwar -k password-file

where,

-wis for setting watch. Here watch is set for the file /etc/passwd.
-p war is for setting permission filter for a file to watch. (r,w,x)
## auditctl -w /etc/shadow -k shadow-file -prwxa

This rule will add a watch for the file /etc/shadow. It will generate recordsonread,write executeandappendon shadow file.

How can we foundwho changed a file by using ausearchcommand.

##ausearch-f /etc/passwd
Workingof auditd.
Example.
Step 1. auditctl-w /etc/passwd -k passwd-ra-p ra(add rules)
Step 2. tail /etc/passwd, cat /etc/passwd (perform tasks)
Step 3. ausearch -k passwd-ra

Output

time->Sat Jan 31 13:10:26 2015
type=PATH msg=audit(1422690026.188:60899): item=0 name=”/etc/passwd” inode=2231521 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1422690026.188:60899): cwd=”/home/adminz”
type=SYSCALL msg=audit(1422690026.188:60899): arch=c000003e syscall=2 success=yes exit=3 a0=7fff3ce944f5 a1=0 a2=0 a3=7fff3ce92140 items=1 ppid=21023 pid=21083 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=pts31 comm=”tail” exe=”/usr/bin/tail” key=”passwd-ra”
—-
time->Sat Jan 31 13:10:31 2015
type=PATH msg=audit(1422690031.788:60900): item=0 name=”/etc/passwd” inode=2231521 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1422690031.788:60900): cwd=”/home/adminz”
type=SYSCALL msg=audit(1422690031.788:60900): arch=c000003e syscall=2 success=yes exit=3 a0=7fff3b5324ff a1=0 a2=7fff3b5321d0 a3=7fff3b531d10 items=1 ppid=21023 pid=21087 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=pts31 comm=”cat” exe=”/bin/cat” key=”passwd-ra”

From the output we can see that the user with theuid1000 executed the command cat and tail in the file /etc/passwd.

Auditdreport summar

##aureport>> Used to obtain a summarized report from theauditdlogs.

Summary Report
Range of time in logs: 02/01/2015 08:31:42.603 - 02/01/2015 08:31:42.724
Selected time for report: 02/01/2015 08:31:42 - 02/01/2015 08:31:42.724
Number of changes in configuration: 1
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 0
Number of host names: 0
Number of executables: 0
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 1
Number of events: 2
=================================