Draft

Tools

• auditd – userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk.
• auditctl – a utility for controlling the kernel’s audit system.
• ausearch – a utility for searching audit log files for specific events.
• aureport – a utility for creating reports of recorded events.
• augenrules - a script that merges component audit rule files

auditctl -w /etc/passwd -p wa -k passwd_changes ## Add a new rule
auditctl -l ## List all rules
ausearch --pid 579 ## Search by PID
ausearch --message USER_LOGIN --success no ## Search by "type" and if it was successful
ausearch -ua Solvetic ##

All errors from user with uid 1000

sudo ausearch --uid 1000 --success no

aureport --summary   # Estadísticas generales (eventos, accesos, procesos, etc). Se puede combinar con otras opciones para realizar sumatorios. Ejemplo: aureport -x --summary
aureport --success   # Estadísticas de eventos con resultado exitoso .
aureport --failed    # Estadísticas de eventos con resultado fallido.

# Obtención de reportes (se puede combinar con --summary).
aureport -c   # (Audit) Config Change Report: date time type auid success event
aureport -l   # Login report: date time auid host term exe success even
aureport -p   # Process ID Report: date time pid exe syscall auid event
aureport -f   # Reporte de ficheros: Fecha, tiempo, id,nombre, syscalls, auid y número de evento.
aureport -u   # Reporte de usuarios: Fecha, tiempo, id,nombre, syscalls, auid y número de evento.
aureport -s   # Reporte de syscalls: Fecha, tiempo, número de llamada, nombre del comando que uso la syscall, auid y número de evento.

Tip:

sudo ausearch --success no | aureport -x -i

Show everything that failed for the past week

for i in avc auth comm config crypto event file integrity login key mods mac anomaly pid response syscall log terminal tty user virt executable ; do
    sudo ausearch --success no --start week-ago --end now | aureport --"$i" -i
done

data="$(sudo ausearch --success no --start week-ago --end now)"
for i in avc auth comm config crypto event file integrity login key mods mac anomaly pid response syscall log terminal tty user virt executable ; do
    echo "$data" | aureport --"$i" -i
done
unset data

sudo ausearch --success no | aureport --anomaly sudo ausearch --success no | aureport --anomaly -i sudo ausearch --success no | aureport --response

sudo ausearch --success no | aureport -x -i

auid=4294967295 generates a LOT of messages

who used sudo and what did they do

Config

/etc/audit/auditd.conf

man auditd.conf

A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.

Rules

Located in /etc/audit/rules.d/.rules Loaded in one sole file /etc/audit/audit.rules

Types of rules:

• Control rules – these enable modification of the audit system’s behavior and a few of its configurations.
• File system rules (also referred to as file watches) – enable auditing of access to a certain file or a directory.
• System call rules – permits logging of system calls made by any program.

Control

-D          #removes all previous rules
-b  3074    #define buffer size
-f 4        #panic on failure !!!!THIS MAY BE OLD
-r 120      #create at most 120 audit messages per second
# Hace la configuración inmutable obligando a un reinicio del sistema (2), con 0 se deshabilita auditd y con 1 se habilita de nuevo.
-e 2

File system

-w /path/to/file/or/directory -p permissions -k key_name

w – is used to specify a file or directory to watch over. p – permissions to be logged, r – for read access, w – for write access, x – for execute access and a – for change of file or director attribute. k – allows you to set an optional string for identifying which rule (or a set of rules) created a specific log entry.

-w /etc/passwd -p wa -k passwd_changes

System call

-a action,filter -S system_call -F field=value -k key_name

action – has two possible values: always or never. filter – specifies kernel rule-matching filter (task, exit, user and exclude) is applied to the event. system call – system call name. field – specifies additional options such as architecture, PID, GID etc to modify rule. (optional)

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F uid=0 -k delete

Explanation of logs

For this rules which monitors.... for the user 1000....

-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F uid=1000 -k delete

the command is rm test

The logs generated are... sudo tail -f /var/log/audit/audit.log

type=SYSCALL msg=audit(1590760742.529:163): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5591de8bd640 a2=0 a3=100 items=2 ppid=2162 pid=2188 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"ARCH=x86_64 SYSCALL=unlinkat AUID="yu" UID="yu" GID="yu" EUID="yu" SUID="yu" FSUID="yu" EGID="yu" SGID="yu" FSGID="yu"
type=CWD msg=audit(1590760742.529:163): cwd="/home/yu"
type=PATH msg=audit(1590760742.529:163): item=0 name="/home/yu" inode=131 dev=fd:05 mode=040700 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="yu" OGID="yu"
type=PATH msg=audit(1590760742.529:163): item=1 name="test" inode=137 dev=fd:05 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="yu" OGID="yu"
type=PROCTITLE msg=audit(1590760742.529:163): proctitle=726D0074657374

First line

type=SYSCALL msg=audit(1590760742.529:163): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5591de8bd640 a2=0 a3=100 items=2 ppid=2162 pid=2188 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"ARCH=x86_64 SYSCALL=unlinkat AUID="yu" UID="yu" GID="yu" EUID="yu" SUID="yu" FSUID="yu" EGID="yu" SGID="yu" FSGID="yu"

• type=SYSCALL - Tipo de registro | All types are in ....
• msg=audit(1590760742.529:163): - Timestamp and event ID
• arch=c000003e - Architecture in hex
• syscall=263 - Syscall type ... ausyscall --dump
• success=yes - ...
• exit=0 - Exit code
• a0=ffffff9c a1=5591de8bd640 a2=0 a3=100 - Arguments in hex
• items=2 - Rutas a fichero registradas en el evento??
• ppid=2162 pid=2188 - Process ID
• auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 - IDs
• tty=pts1 - TTY from where it was originated
• ses=4 - Session ID
• comm="rm" exe="/usr/bin/rm" - Command executed and path
• subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 - SELinux tag
• key="delete" - Key used to define the rule
• ARCH=x86_64 - Architecture
• SYSCALL=unlinkat - Syscall name
• AUID="yu" UID="yu" GID="yu" EUID="yu" SUID="yu" FSUID="yu" EGID="yu" SGID="yu" FSGID="yu" - Other IDs

Second line

type=CWD msg=audit(1590760742.529:163): cwd="/home/yu"

• type=CWD - Working directory
• msg=audit(1590760742.529:163): - Timestamp and ID (the same as before)
• cwd="/home/yu" - Path where the event happened

Third and forth line

type=PATH msg=audit(1590760742.529:163): item=0 name="/home/yu" inode=131 dev=fd:05 mode=040700 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="yu" OGID="yu"
type=PATH msg=audit(1590760742.529:163): item=1 name="test" inode=137 dev=fd:05 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="yu" OGID="yu"

• type=PATH - Path passed as argument to the syscall
• msg=audit(1590760742.529:163): - Same timestamp and ID
• item=0 - First item of PATH syscall
• name="/home/yu" - Path of the syscall
• inode=131 - Inode of the syscal
• dev=fd:05 - Device used in the event. /dev/fs/5 -> /dev/pts/0
• mode=040700 - permissions
• ouid=1000 ogid=1000 - UID / GID from owner of file / directory
• rdev=00:00 - device identifier for special devices
• obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT - SELinux tag
• cap_fp=0000000000000000 -
• cap_fi=0000000000000000 -
• cap_fe=0 -
• cap_fver=0 -
• OUID="yu" -
• OGID="yu" -

Fifth line

type=PROCTITLE msg=audit(1590760742.529:163): proctitle=726D0074657374

• type=PROCTITLE - Type of log
• msg=audit(1590760742.529:163): - Timestamp and ID
• proctitle=726D0074657374 - Command in hex echo -n "72 6D00 7465 7374" | xdd -r

Another more visual example could be echo "726D 0077 7562 6261 206C 7562 6261 2064 7562 2064 7562" | xxd -r

ausearch can give all the calls with the same ID

sudo ausearch --event 163

This event can be searched by the key

sudo ausearch --key delete

Other

[yu@localhost ~]$ sudo aureport -f --interpret

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 05/29/2020 15:59:02 /home/yu unlinkat yes /usr/bin/rm yu 163
2. 05/29/2020 16:23:27 /home/yu unlinkat yes /usr/bin/rm yu 177
3. 05/29/2020 16:29:55 /etc unlinkat no /usr/bin/rm yu 192

[yu@localhost ~]$ sudo aureport -f

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 05/29/2020 15:59:02 /home/yu 263 yes /usr/bin/rm 1000 163
2. 05/29/2020 16:23:27 /home/yu 263 yes /usr/bin/rm 1000 177
3. 05/29/2020 16:29:55 /etc 263 no /usr/bin/rm 1000 192

[yu@localhost ~]$ sudo ausearch --event 163 | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 05/29/2020 15:59:02 test unlinkat yes /usr/bin/rm yu 163

[yu@localhost ~]$ sudo ausearch --event 163 | aureport -f

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 05/29/2020 15:59:02 test 263 yes /usr/bin/rm 1000 163

[yu@localhost ~]$ sudo ausearch --success no | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 05/29/2020 16:29:55 rc0.d unlinkat no /usr/bin/rm yu 192

[yu@localhost ~]$ sudo ausearch --success no | aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 05/29/2020 12:22:25 /usr/lib/systemd/systemd ? ? unset 42
2. 05/29/2020 14:00:32 /usr/lib/systemd/systemd ? ? unset 39
3. 05/29/2020 14:01:14 /usr/sbin/sshd ssh 172.16.197.1 unset 61
4. 05/29/2020 14:04:23 /usr/lib/systemd/systemd ? ? unset 36
5. 05/29/2020 14:04:48 /usr/sbin/sshd ssh 172.16.197.1 unset 47
6. 05/29/2020 15:46:59 /usr/bin/login tty1 localhost.localdomain unset 111
7. 05/29/2020 15:47:01 /usr/bin/login tty1 localhost.localdomain unset 112
8. 05/29/2020 15:58:49 /usr/sbin/sshd ssh 172.16.197.1 unset 148
9. 05/29/2020 16:29:55 /usr/bin/rm pts1 ? yu 192

From HEX to ASCII

The audit line indicating the command used is the following.

type=USER_CMD msg=audit(1590767948.331:1231): pid=3079 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/yu" cmd=7461696C202D66202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/0 res=success'UID="yu" AUID="yu"

The command in HEX is:

7461696C202D66202F7661722F6C6F672F61756469742F61756469742E6C6F67

ausearch

First option using ausearch and using the audit ID.

sudo ausearch --event 1231 -i

The result is:

type=USER_CMD msg=audit(05/29/2020 17:59:08.331:1231) : pid=3079 uid=yu auid=yu ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd=/home/yu cmd=tail -f /var/log/audit/audit.log exe=/usr/bin/sudo terminal=pts/0 res=success'

python

Second option using python.

python -c 'import binascii; print(binascii.a2b_hex("7461696C202D66202F7661722F6C6F672F61756469742F61756469742E6C6F67"))'

The result is:

b'tail -f /var/log/audit/audit.log'

Ignore an entry (wip)

I have this entry which I do not want

type=SERVICE_START msg=audit(1590767358.184:1194): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590767368.353:1195): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Sources

• https://es.linux-console.net/?p=545
• https://www.solvetic.com/tutoriales/article/4343-como-auditar-linux-auditd-tool-ausearch/
• https://www.busindre.com/auditando_el_sistema_con_auditd
• https://plautrba.fedorapeople.org/how-to-decode-hex-strings-in-audit-logs.html