How To Install and Generate Audit Reports in CentOS 7 or RHEL 7
-
Upload
vcp-muthukrishna -
Category
Technology
-
view
2.676 -
download
0
Transcript of How To Install and Generate Audit Reports in CentOS 7 or RHEL 7
How To Install and Generate Audit Reports in CentOS 7
i | P a g e
Table of Contents Overview ....................................................................................................................................................... 1
Applies To ...................................................................................................................................................... 1
Pre-requisites ................................................................................................................................................ 1
Install Audit Packages ................................................................................................................................... 1
Components, Tools and Configuration Files ................................................................................................. 1
Kernel ........................................................................................................................................................ 1
Binaries...................................................................................................................................................... 1
Files ........................................................................................................................................................... 2
Auditctl - Attributes / Parameters ................................................................................................................ 2
Audit Control - Rules Table ....................................................................................................................... 2
Audit Control - Permissions Table ............................................................................................................. 2
Audit Control - Actions .............................................................................................................................. 2
Manage Audit Rules ...................................................................................................................................... 3
List Audit Rules .......................................................................................................................................... 3
Add Audit Rules ......................................................................................................................................... 3
Add Audit Rule – Shadow File ............................................................................................................... 3
Add Audit Rule – Password File ............................................................................................................ 4
Add Audit Rule – SSH Config File ........................................................................................................... 4
Add Audit Rule – hosts File ................................................................................................................... 4
Add Audit Rule – Directory ................................................................................................................... 4
Audit Delete Rules..................................................................................................................................... 5
Delete Rules – All Rules ......................................................................................................................... 5
Delete Rules – By Key ............................................................................................................................ 5
Delete Rules – Matching Rule ............................................................................................................... 6
Audit Query / Search ..................................................................................................................................... 6
Audit Query – By File................................................................................................................................. 6
Audit Query – By key ................................................................................................................................. 7
Audit Query – By Exit Code ....................................................................................................................... 7
Audit Query – By Executable .................................................................................................................... 8
Audit Query – By UserID ........................................................................................................................... 8
Audit Query – By User LoginID .................................................................................................................. 9
How To Install and Generate Audit Reports in CentOS 7
ii | P a g e
Audit Query – By GroupID......................................................................................................................... 9
Audit Query – By UUID .............................................................................................................................. 9
Audit Query – By Hostname.................................................................................................................... 10
Audit Reports .............................................................................................................................................. 10
Audit Report – Summary......................................................................................................................... 10
Audit Report – Report Authentication Attempts ................................................................................ 11
Audit Report – Report Authentication Failed Attempts ..................................................................... 11
Audit Report – Report Login Success Attempts .................................................................................. 12
Audit Report – Report Login Failed Attempts ..................................................................................... 12
Audit Report – Report Login Failed Attempts ..................................................................................... 12
Audit Report – Report Filter by Timestamp ........................................................................................ 13
Audit Report – Report Find Syscall ...................................................................................................... 14
Different System Calls and its Mapping .................................................................................................. 14
ausyscall 2 ........................................................................................................................................... 14
ausyscall 188 ....................................................................................................................................... 14
ausyscall 191 ....................................................................................................................................... 14
Alternate Methods – Aureport ................................................................................................................... 15
How To Install and Generate Audit Reports in CentOS 7
1 | P a g e
Overview
It is always a good to have a look various logs on your server to determine who has logged in successfully
and who has had failed attempts at logging in. More importantly with a server is connected to the public
IP address. It also helps administrator to keep trail of administrator activities.
Applies To
CentOS 7, RHEL 7
Pre-requisites
In order to run the commands described in this guide; packages that has to be installed.
audit
audit-libs
Install Audit Packages
By default audit packages are installed, in case you need to install run the below command; audit-libs is a
dependency package.
yum install audit audit-libs -y
Components, Tools and Configuration Files
There are three major components for Auditing on a box.
Kernel
audit Hooks into the kernel to capture events and delivers them to auditd daemon
Binaries
auditd A daemon to capture events and store them in auditd.log file
auditctl Audit tool to configure auditd on the server
audispd Daemon to multiplex events
aureport Reporting tool which reads from auditd.log file
ausearch Looks-up events in auditd.log file
autrace Using audit component in kernel to trace binaries
aulast Similar to last, but utilizes audit framework
aulastlog Similar to lastlog, but again utilizes audit framework
ausyscall Map syscall ID and name
auvirt Displaying audit information regarding virtual machines
How To Install and Generate Audit Reports in CentOS 7
2 | P a g e
Files
audit.rules Rules defined is utilized by auditctl
auditd.conf Configuration file of auditd daemon
Auditctl - Attributes / Parameters
Audit control tool is managed by rules and the parameters associated to each rule.
Audit Control - Rules Table
-w This parameter will add / insert a watch for the file system object at path.
-W This parameter will remove a watch for the file system object at path.
-f [0..2] Set failure flag which can be set between 0 - 2 wherein; 0=silent 1=printk 2=panic
-e [0..2] Set enabled flag which can be set between 0 - 2 wherein; 0= disable auditing 1=enable auditing 2= lock the audit configuration
-k Key
-p [rwxa] this parameter describes the permission access type that a file system watch will trigger on rwxa; see Permissions Table
-D Delete all audit rules
Audit Control - Permissions Table
r Read permission; if a file is opened for reading
w write permission; if a file is opened for writing
x execute permission; if a file is opened for execution
a attribute permission; if a file attribute is changed
Audit Control - Actions
never No audit records will be generated. This can be used to suppress event generation.
always Allocate an audit context, always fill it in at syscall entry time, and always write out a record at syscall exit time.
How To Install and Generate Audit Reports in CentOS 7
3 | P a g e
Manage Audit Rules
One of the main purpose of audit rule(s) is to keep track of files that have been read, modified or executed
by a user are being monitored; which will ensure engineers to perform administrative actions that their
role defines or requires.
List Audit Rules
First up, before you configure a new rule it’s always a good idea to list of audit rules that are already
configured. To know rules configure run the below command, the command will list rules defined from
the file “/etc/audit/audit.rules”.
auditctl -l
Add Audit Rules
In order to add a watch / audit files, you need to add a rule, we will add few audit rules.
Add Audit Rule – Shadow File
To audit password shadow file run the below command with key “shadow-file”; we will watch for
permissions “r,w,x,a”.
auditctl -w /etc/shadow -k shadow-file -p rwxa
How To Install and Generate Audit Reports in CentOS 7
4 | P a g e
Add Audit Rule – Password File
To audit password file run the below command with key “password-file”; we will watch for permissions
“r,w,a”.
auditctl -w /etc/passwd -p war -k password-file
Add Audit Rule – SSH Config File
To audit SSH daemon main configuration file run the below command with key “sshconfig”; we will watch
for permissions “r,w,a,x”.
auditctl -w /etc/ssh/sshd_config -p rwax -k sshconfig-file
Add Audit Rule – hosts File
To audit hosts file run the below command with key “hosts-file”; we will watch for permissions “w,a”.
auditctl -w /etc/hosts -p wa -k hosts-file
Add Audit Rule – Directory
If you would like to watch a specific directory on a host, run the command below
auditctl -w /etc/security -k "/etc/secturity"
Note: it’s a good idea to add a rule with “key”, because it helps in search by a show rules based on key.
How To Install and Generate Audit Reports in CentOS 7
5 | P a g e
Audit Delete Rules
If the host or a rule(s) that are no longer required to be audited / watched. You need delete the audit rules
that are no longer required.
Delete Rules – All Rules
At times you would want to delete all rules defined run the below command, this command will remove
all rules defined in “audit.rules” file.
auditctl -D
Delete Rules – By Key
To delete rules based on the key run the below command, this command will remove all rules defined in
“audit.rules” file.
auditctl -D -key password-file
How To Install and Generate Audit Reports in CentOS 7
6 | P a g e
Delete Rules – Matching Rule
To delete matching rule, run the below command, this command will remove all rules defined in
“audit.rules” file. You have to match the actual rule to remove it.
auditctl -W /etc/passwd -p rwa -k password-file
Audit Query / Search
Ausearch is audit daemon query tool, there are many ways that you can perform different kind of audits.
A few of them have been listed and shown here.
Audit Query – By File
Search for an events matching for the given filename.
ausearch -f /etc/passwd
How To Install and Generate Audit Reports in CentOS 7
7 | P a g e
Audit Query – By key
Search for an events matching for the given key defined while creating the audit rules.
ausearch -k password-file
Audit Query – By Exit Code
Search for an event matching the exit code. Exit codes can be interpreted in the error file
“/usr/include/asm-generic/errno-base.h”
ausearch -e 1
How To Install and Generate Audit Reports in CentOS 7
8 | P a g e
Audit Query – By Executable
Search for an event matching the executable, run the command below.
ausearch -x ls
Audit Query – By UserID
Search for an events matching based on the user ID.
ausearch -ui 1000
How To Install and Generate Audit Reports in CentOS 7
9 | P a g e
Audit Query – By User LoginID
Query for events matching for the user Login ID and display them.
ausearch -ul 1000
Audit Query – By GroupID
Query for events matching for the group id and display them.
ausearch -gi 1000
Audit Query – By UUID
Query for events matching for the UUID and display them.
ausearch -uu 1000
How To Install and Generate Audit Reports in CentOS 7
10 | P a g e
Audit Query – By Hostname
Query for events matching for the hostname and display them.
ausearch -hn vcptest
Audit Reports
It’s a tool that delivers audit summary reports of the audit system logs.
Audit Report – Summary
aureport –summary
How To Install and Generate Audit Reports in CentOS 7
11 | P a g e
Audit Report – Report Authentication Attempts
List all the events irrespective of success or failed.
aureport -au
Audit Report – Report Authentication Failed Attempts
List all the events that have failed.
aureport -au | grep "no "
How To Install and Generate Audit Reports in CentOS 7
12 | P a g e
Audit Report – Report Login Success Attempts
aureport --success -l
Audit Report – Report Login Failed Attempts
aureport --failed -l
Audit Report – Report Login Failed Attempts
aureport -m
How To Install and Generate Audit Reports in CentOS 7
13 | P a g e
Audit Report – Report Filter by Timestamp
aureport --start 09/20/2015 00:00:00 --end 09/21/2015 00:00:00
How To Install and Generate Audit Reports in CentOS 7
14 | P a g e
Audit Report – Report Find Syscall
For each command execution syscall is associated in the audit log. Run the command “ausearch gi 1000 -
-just-one”
Different System Calls and its Mapping
ausyscall 2
Open
ausyscall 188
setxattr
ausyscall 191
getxattr
How To Install and Generate Audit Reports in CentOS 7
15 | P a g e
Alternate Methods – Aureport
cat /var/log/secure | grep 'sshd.*Failed'
cat /var/log/secure | grep 'sshd.*opened'
cat /var/log/secure | grep 'login.*tty'