Some cleanup
← Older revision
Revision as of 22:36, 10 October 2013
(One intermediate revision by one user not shown)
Line 1:
Line 1:
−
The Linux audit framework
+
[[Category:Security]]
−
provides a CAPP-compliant (Controlled Access Protection Profiles)
+
−
auditing system that reliably collects information about any security-relevant
+
−
(or non-security-relevant) event on a system. It can help you track actions
+
−
performed on a system.
+
+
The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profiles) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system.
−
Linux audit helps make your system more secure by providing you with a means to
+
Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures, to prevent them.
−
analyze what is happening on your system in great detail. It does not, however,
+
−
provide additional security itself—it does not protect your system from code
+
−
malfunctions or any kind of exploits. Instead, Audit is useful for tracking
+
−
these issues and helps you take additional security measures, to
+
−
prevent them.
+
−
The audit framework works by listening to the event reported by the kernel
+
The audit framework works by listening to the event reported by the kernel and logging them to a log file.
−
and logging them to a log file
.
+
−
+
−
/!\ as of linux 3.11, the audit framework is not yet compatible with the
+
−
namespace implementation, if you use namespaces, consider deactivate the
+
−
audit framework. It may also affects the performance of the system
.
+
+
{{Note|as of linux 3.11, the audit framework is not yet compatible with the namespace implementation, if you use namespaces, do not use the audit framework.}}
+
{{Note|It may also affects the performance of the system.}}
==Installation==
==Installation==
Line 28:
Line 17:
# systemctl enable auditd.service
# systemctl enable auditd.service
−
Audit framework is composed of the auditd daemon, responsible for writing the
+
Audit framework is composed of the auditd daemon, responsible for writing the audit messages that were generated through the audit kernel interface and triggered by application and system activity.
−
audit messages that were
+
−
generated through the audit kernel interface and triggered by application and
+
−
system activity.
+
This daemon can be controled by several commands and files:
This daemon can be controled by several commands and files:
−
* auditctl : to control the behavior of the daemon on the fly, adding rules
+
* auditctl : to control the behavior of the daemon on the fly, adding rules etc.
−
etc.
+
* /etc/audit/audit.rules : contains the rules and various parameters of the auditd daemon
−
* /etc/audit/audit.rules : contains the rules and various parameters of the
+
−
auditd daemon
+
* aureport : generate report of the activity on a system
* aureport : generate report of the activity on a system
* ausearch : search for various events
* ausearch : search for various events
−
j
auditspd : the daemon which can be used to relay event notifications to
+
*
auditspd : the daemon which can be used to relay event notifications to other applications instead of writing them to disk in the audit log
−
other applications instead of writing them to disk in the audit log
+
* autrace : this command can be used to trace a process, in a similar way as strace.
−
* autrace : this command can be used to trace a process, in a similar way as
+
−
strace.
+
* /etc/audit/auditd.conf : configuration file related to the logging.
* /etc/audit/auditd.conf : configuration file related to the logging.
==Adding rules==
==Adding rules==
−
Before adding rules, you must know that the audit framework can be very verbose
+
Before adding rules, you must know that the audit framework can be very verbose and that each rules must be carrefully tested before being effectively deployed. Indeed, just one rule can flood all your log within a few minutes.
−
and that each rules must be carrefully tested before being effectively
+
−
deployed. Indeed, just one rule can flood all your log within a few minutes
and
+
−
break the relevancy of your logs
.
+
−
+
===Audit files and directories access===
===Audit files and directories access===
−
The most basic use of the audit framework is to log the access to the files you
+
The most basic use of the audit framework is to log the access to the files you want.
−
want.
+
To do this, you must use a watch
{{ic|
-w
}}
to a file or a directory
−
To do this, you must use a watch
(
-w
)
to a file or a directory
+
The most basic rule to set up is to track accesses to the passwd file :
The most basic rule to set up is to track accesses to the passwd file :
Line 65:
Line 42:
# auditctl -w /etc/security/
# auditctl -w /etc/security/
−
The first rule keep track of every read
(
r
)
, write
(
w
)
, execution
(
x
)
, attribute
+
The first rule keep track of every read
{{ic|
r
}}
, write
{{ic|
w
}}
, execution
{{ic|
x
}}
, attribute change
{{ic|
a
}}
to the file
{{ic|
/etc/passwd
}}
.
−
change
(
a
)
to the file /etc/passwd.
+
The second keep track to any access in the
{{ic|
/etc/security/
}}
folder.
−
The second keep track to any access in the /etc/security/ folder.
+
You can list all active rules with :
You can list all active rules with :
Line 73:
Line 49:
# auditctl -l
# auditctl -l
−
Once you validate the rule, you can add it to the /etc/audit/audit.rules :
+
Once you validate the rule, you can add it to the
{{ic|
/etc/audit/audit.rules
}} file
:
-w /etc/audit/audit.rules -p rwxa
-w /etc/audit/audit.rules -p rwxa