Auditd : Add Audit Rules2022/12/20 |
|
It's possible to add your own Audit rules like follows.
|
|
| [1] | For example, Configure Audit rule that records writing and attributes change for [/etc/hosts]. |
|
# display current rules (no rules by default like follows) root@dlp:~# auditctl -l No rules # -p [r|w|x|a] : specify target action for Audit # r=read, w=write, x=execute, a=attributes # -k [words] : set keys for searching logs root@dlp:~# auditctl -w /etc/hosts -p wa -k hosts_change root@dlp:~# auditctl -l -w /etc/hosts -p wa -k hosts_change |
| [2] | When some actions are set and it is detected by new Audit rules, Audit logs are recorded like follows. |
|
root@dlp:~# ausearch -k hosts_change | aureport -f -i =============================================== # date time file syscall success exe auid event =============================================== 1. 12/20/2022 12:43:40 /etc/hosts~ rename yes /usr/bin/vim.basic ubuntu 296 2. 12/20/2022 12:43:40 /etc/hosts openat yes /usr/bin/vim.basic ubuntu 297 3. 12/20/2022 12:43:40 (null) fchown yes /usr/bin/vim.basic ubuntu 298 4. 12/20/2022 12:43:40 (null) fchown yes /usr/bin/vim.basic ubuntu 299 5. 12/20/2022 12:43:40 (null) fchmod yes /usr/bin/vim.basic ubuntu 300 6. 12/20/2022 12:43:40 /etc/hosts setxattr yes /usr/bin/vim.basic ubuntu 301 7. 12/20/2022 12:44:28 /etc/hosts~ rename yes /usr/bin/vim.basic root 327 8. 12/20/2022 12:44:28 /etc/hosts openat yes /usr/bin/vim.basic root 328 9. 12/20/2022 12:44:28 (null) fchown yes /usr/bin/vim.basic root 329 10. 12/20/2022 12:44:28 (null) fchown yes /usr/bin/vim.basic root 330 11. 12/20/2022 12:44:28 (null) fchmod yes /usr/bin/vim.basic root 331 12. 12/20/2022 12:44:28 /etc/hosts setxattr yes /usr/bin/vim.basic root 332 |
| [3] | Rules added by [auditctl] command are not kept after restarting System, so it needs to add them in a file under [/etc/audit/rules.d] if you'd like to keep persistently. It's OK to add rules to any file name you like under [/etc/audit/rules.d], but extension should be [.rules]. |
|
# output current rules to [additional.rules] root@dlp:~# auditctl -l >> /etc/audit/rules.d/additional.rules |
| [4] | If you set a directory for Audit Target, all files are targeted recursively under the directory. |
|
# set Audit rule (reading) to [/home/testdir/] root@dlp:~# auditctl -w /home/testdir/ -p r -k testdir_audit root@dlp:~# auditctl -l -w /home/testdir -p r -k testdir_audit # logs are recorded like follows root@dlp:~# ausearch -k testdir_audit | aureport -f -i File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 12/20/2022 12:46:57 /home/testdir sendto yes /usr/sbin/auditctl root 83 2. 12/20/2022 12:47:50 /home/testdir/ lgetxattr no /usr/bin/ls root 84 3. 12/20/2022 12:47:50 /home/testdir/ getxattr no /usr/bin/ls root 85 4. 12/20/2022 12:47:50 /home/testdir/ getxattr no /usr/bin/ls root 86 5. 12/20/2022 12:47:50 /home/testdir/ openat yes /usr/bin/ls root 87 6. 12/20/2022 12:47:50 /home/testdir/. lgetxattr no /usr/bin/ls root 88 7. 12/20/2022 12:47:50 /home/testdir/. getxattr no /usr/bin/ls root 89 8. 12/20/2022 12:47:50 /home/testdir/. getxattr no /usr/bin/ls root 90 9. 12/20/2022 12:47:55 /home/testdir/.testfile.txt.swp openat yes /usr/bin/vim.basic root 91 10. 12/20/2022 12:47:55 /home/testdir/.testfile.txt.swx openat yes /usr/bin/vim.basic root 92 11. 12/20/2022 12:47:55 /home/testdir/.testfile.txt.swp openat yes /usr/bin/vim.basic root 93 12. 12/20/2022 12:48:21 /home/testdir/.test.txt.swp openat yes /usr/bin/vim.basic ubuntu 118 13. 12/20/2022 12:48:21 /home/testdir/.test.txt.swx openat yes /usr/bin/vim.basic ubuntu 119 14. 12/20/2022 12:48:21 /home/testdir/.test.txt.swp openat yes /usr/bin/vim.basic ubuntu 120 |
| [5] | For example, Set Audit rule that monitors files removed by users who has over UID 1000. |
|
root@dlp:~#
auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit root@dlp:~# auditctl -l -w /home/testdir -p r -k testdir_audit -a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit # logs are recorded like follows root@dlp:~# ausearch -k delete_audit | aureport -f -i File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 12/20/2022 12:50:23 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd ubuntu 160 2. 12/20/2022 12:50:23 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd ubuntu 161 3. 12/20/2022 12:50:42 /home/testdir/test.txt unlinkat yes /usr/bin/rm ubuntu 189 4. 12/20/2022 12:50:56 /home/testdir/testfile.txt unlinkat yes /usr/bin/rm ubuntu 202 |
| Sponsored Link |