Ubuntu 24.04
Sponsored Link

Auditd : Add Audit Rules2024/06/18

 

It's possible to add your own Audit rules like follows.

[1] For example, Configure Audit rule that records writing and attributes change for [/etc/hosts].
# display current rules (no rules by default like follows)

root@dlp:~#
auditctl -l

No rules
# -p [r|w|x|a] : specify target action for Audit
# r=read, w=write, x=execute, a=attributes
# -k [words] : set keys for searching logs

root@dlp:~#
auditctl -w /etc/hosts -p wa -k hosts_change

root@dlp:~#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
[2] When some actions are set and it is detected by new Audit rules, Audit logs are recorded like follows.
root@dlp:~#
ausearch -k hosts_change | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 06/17/2024 02:33:28 /etc/hosts~ rename yes /usr/bin/vim.basic ubuntu 342
2. 06/17/2024 02:33:28 /etc/hosts openat yes /usr/bin/vim.basic ubuntu 343
3. 06/17/2024 02:33:28 (null) fchmod yes /usr/bin/vim.basic ubuntu 344
4. 06/17/2024 02:33:28 /etc/hosts setxattr yes /usr/bin/vim.basic ubuntu 345
5. 06/17/2024 02:34:08 /etc/hosts~ rename yes /usr/bin/vim.basic root 375
6. 06/17/2024 02:34:08 /etc/hosts openat yes /usr/bin/vim.basic root 376
7. 06/17/2024 02:34:08 (null) fchmod yes /usr/bin/vim.basic root 377
8. 06/17/2024 02:34:08 /etc/hosts setxattr yes /usr/bin/vim.basic root 378
[3] Rules added by [auditctl] command are not kept after restarting System, so it needs to add them in a file under [/etc/audit/rules.d] if you'd like to keep persistently. It's OK to add rules to any file name you like under [/etc/audit/rules.d], but extension should be [.rules].
# output current rules to [additional.rules]

root@dlp:~#
auditctl -l >> /etc/audit/rules.d/additional.rules

[4] If you set a directory for Audit Target, all files are targeted recursively under the directory.
# set Audit rule (reading) to [/home/testdir/]

root@dlp:~#
auditctl -w /home/testdir/ -p r -k testdir_audit

root@dlp:~#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
-w /home/testdir -p r -k testdir_audit
# logs are recorded like follows

root@dlp:~#
ausearch -k testdir_audit | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 06/17/2024 02:35:50 /home/testdir sendto yes /usr/sbin/auditctl root 184
2. 06/17/2024 02:37:04 /home/testdir/testfile.txt openat yes /usr/bin/vim.basic ubuntu 213
3. 06/17/2024 02:37:04 /home/testdir/testfile.txt readlink no /usr/bin/vim.basic ubuntu 214
4. 06/17/2024 02:37:04 /home/testdir/.testfile.txt.swp openat yes /usr/bin/vim.basic ubuntu 215
5. 06/17/2024 02:37:04 /home/testdir/.testfile.txt.swx openat yes /usr/bin/vim.basic ubuntu 216
6. 06/17/2024 02:37:04 /home/testdir/.testfile.txt.swp openat yes /usr/bin/vim.basic ubuntu 217
7. 06/17/2024 02:37:04 /home/testdir/testfile.txt openat yes /usr/bin/vim.basic ubuntu 218
8. 06/17/2024 02:37:09 /home/testdir/testfile.txt getxattr no /usr/bin/vim.basic ubuntu 219
9. 06/17/2024 02:37:09 /home/testdir/testfile.txt~ listxattr yes /usr/bin/vim.basic ubuntu 220
10. 06/17/2024 02:37:13 /home/testdir lgetxattr no /usr/bin/ls ubuntu 223
11. 06/17/2024 02:37:13 /home/testdir listxattr yes /usr/bin/ls ubuntu 224
12. 06/17/2024 02:37:36 /home/testdir lgetxattr no /usr/bin/ls root 244
13. 06/17/2024 02:37:36 /home/testdir listxattr yes /usr/bin/ls root 245
14. 06/17/2024 02:37:39 /home/testdir/ lgetxattr no /usr/bin/ls root 248
15. 06/17/2024 02:37:39 /home/testdir/ listxattr yes /usr/bin/ls root 249
16. 06/17/2024 02:37:39 /home/testdir/ openat yes /usr/bin/ls root 250
17. 06/17/2024 02:37:39 /home/testdir/testfile.txt lgetxattr no /usr/bin/ls root 251
18. 06/17/2024 02:37:39 /home/testdir/testfile.txt listxattr yes /usr/bin/ls root 252
19. 06/17/2024 02:37:39 /home/testdir/. lgetxattr no /usr/bin/ls root 253
20. 06/17/2024 02:37:39 /home/testdir/. listxattr yes /usr/bin/ls root 254
21. 06/17/2024 02:37:55 /home/testdir/testfile.txt openat yes /usr/bin/cp root 255
[5] For example, Set Audit rule that monitors files removed by users who has over UID 1000.
root@dlp:~#
auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit

root@dlp:~#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
-w /home/testdir -p r -k testdir_audit
-a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit
# logs are recorded like follows

root@dlp:~#
ausearch -k delete_audit | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 06/17/2024 02:40:28 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd ubuntu 279
2. 06/17/2024 02:40:28 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd ubuntu 280
3. 06/17/2024 02:40:34 /home/testdir/testfile.txt unlinkat no /usr/bin/rm ubuntu 287
4. 06/17/2024 02:40:54 /home/testdir/testfile.txt unlinkat yes /usr/bin/rm ubuntu 295
5. 06/17/2024 02:41:06 /run/user/1000/systemd/units/invocation:dbus.socket unlink yes /usr/lib/systemd/systemd ubuntu 300
6. 06/17/2024 02:41:06 /run/user/1000/systemd/units/invocation:gpg-agent-ssh.socket unlink yes /usr/lib/systemd/systemd ubuntu 301
Matched Content