Sysadmins use audits to discover security violations and track security-relevant information on their systems. Based on preconfigured rules and properties, the audit daemon (auditd) generates log entries to record information about the events happening on the system. Administrators use this information to analyze what went wrong with the security policies and improve them further by taking additional measures.
This article covers how to install, configure, and manage the audit service. It also shows how to define audit rules, search audit logs, and create audit reports. If you are new to system auditing, this article helps you gain a basic understanding and usage of audits on your system.
Install audit packages
The audit package is installed by default on Red Hat Enterprise Linux (RHEL) 7 and above. If it is not installed, add it with the following command:
$ sudo dnf install audit
The audit configuration file is located at /etc/audit/auditd.conf. The file contains the default configuration parameters that alter the behavior of the auditd daemon.
Manage the audit service
Once auditd is configured, start the service to collect audit information:
$ sudo service auditd start
The only reason to use the service command instead of systemctl is to record a user ID (UID) value properly.
[ Sign up for the free online course RHEL technical overview. ]
Enable the auditd daemon so that it can start at boot time:
$ sudo systemctl enable auditd
Define audit rules
With the auditctl tool, you can add auditing rules on any system call you want.
Ordering is important for rules to function as intended, and the service works on a first-match-win basis.
The next step defines the watch rule. This rule tracks whether a file or directory is triggered by certain types of access, including read, write, execute, and attribute changes.
The syntax to define watch rules is:
auditctl -w path_to_file -p permissions -k key_name
To audit user creation actions, first, add a watch to the /etc/passwd file to track write and attribute change access, and add a custom key to log all messages (this custom key is useful to filter log messages):
$ sudo auditctl -w /etc/passwd -p wa -k user-modify
Next, add a new user. Doing so changes the /etc/passwd file:
$ sudo useradd testuser
Finally, check to see if auditd logged the change. By default, auditd stores logs in the /var/log/audit/audit.log file:
$ sudo cat /var/log/audit/audit.log | grep user-modify
The output displays different properties, like what system call was triggered by which user, the type of change, the UID and group ID (GID) of the user who executed the command, and many others.
[ Download the Linux commands cheat sheet, so you always have the right command at hand. ]
Visit the auditctl man page to see more audit examples. For specific options, use auditctl --help.
Define persistent audit rules
To make auditing rules persistent across reboots, add them to the /etc/audit/rules.d/audit.rules file. This file contains auditctl commands as they would be entered on the command line but without the auditctl command in front.
Define persistent rules in the audit.rules file to watch /etc/passwd file for changes.
Open the file /etc/audit/rules.d/audit.rules in your favorite text editor and add this line:
-w /etc/passwd -p wa -k user-modify
Save the file, and then reload the auditd daemon to implement the changes from the configuration in the rules file:
$ sudo service auditd reload
Run auditctl -l to list the rules.
Finally, add a new user or modify any parameters that trigger the /etc/passwd file to change. The change is logged in /var/log/audit/audit.log, and even if the system is rebooted, the rules persists.
Search audit logs
Use the ausearch tool to search audit logs. By default, it searches the /var/log/audit/audit.log file.
For example, to search for log entries based on key_name:
$ sudo ausearch -i -k user-modify
Create audit reports
Use the aureport tool to query and create audit reports based on audit logs.
For example, to generate a report of all executable events, run:
$ sudo aureport -x
Wrap up
In this article, you learned about auditd, installed packages required by auditd, and managed the auditd service by starting, enabling, and restarting it where and when needed. You learned how to define auditd rules temporarily with auditctl and persistently in the audit.rules file. Finally, you searched audit logs and generated audit reports with the ausearch and aureport commands, respectively.
