how to install and generate audit reports in centos 7 or rhel 7

How To Install and Generate Audit Reports in CentOS 7

i | P a g e

Table of Contents Overview ....................................................................................................................................................... 1

Applies To ...................................................................................................................................................... 1

Pre-requisites ................................................................................................................................................ 1

Install Audit Packages ................................................................................................................................... 1

Components, Tools and Configuration Files ................................................................................................. 1

Kernel ........................................................................................................................................................ 1

Binaries...................................................................................................................................................... 1

Files ........................................................................................................................................................... 2

Auditctl - Attributes / Parameters ................................................................................................................ 2

Audit Control - Rules Table ....................................................................................................................... 2

Audit Control - Permissions Table ............................................................................................................. 2

Audit Control - Actions .............................................................................................................................. 2

Manage Audit Rules ...................................................................................................................................... 3

List Audit Rules .......................................................................................................................................... 3

Add Audit Rules ......................................................................................................................................... 3

Add Audit Rule – Shadow File ............................................................................................................... 3

Add Audit Rule – Password File ............................................................................................................ 4

Add Audit Rule – SSH Config File ........................................................................................................... 4

Add Audit Rule – hosts File ................................................................................................................... 4

Add Audit Rule – Directory ................................................................................................................... 4

Audit Delete Rules..................................................................................................................................... 5

Delete Rules – All Rules ......................................................................................................................... 5

Delete Rules – By Key ............................................................................................................................ 5

Delete Rules – Matching Rule ............................................................................................................... 6

Audit Query / Search ..................................................................................................................................... 6

Audit Query – By File................................................................................................................................. 6

Audit Query – By key ................................................................................................................................. 7

Audit Query – By Exit Code ....................................................................................................................... 7

Audit Query – By Executable .................................................................................................................... 8

Audit Query – By UserID ........................................................................................................................... 8

Audit Query – By User LoginID .................................................................................................................. 9


ii | P a g e

Audit Query – By GroupID......................................................................................................................... 9

Audit Query – By UUID .............................................................................................................................. 9

Audit Query – By Hostname.................................................................................................................... 10

Audit Reports .............................................................................................................................................. 10

Audit Report – Summary......................................................................................................................... 10

Audit Report – Report Authentication Attempts ................................................................................ 11

Audit Report – Report Authentication Failed Attempts ..................................................................... 11

Audit Report – Report Login Success Attempts .................................................................................. 12

Audit Report – Report Login Failed Attempts ..................................................................................... 12

Audit Report – Report Login Failed Attempts ..................................................................................... 12

Audit Report – Report Filter by Timestamp ........................................................................................ 13

Audit Report – Report Find Syscall ...................................................................................................... 14

Different System Calls and its Mapping .................................................................................................. 14

ausyscall 2 ........................................................................................................................................... 14

ausyscall 188 ....................................................................................................................................... 14

ausyscall 191 ....................................................................................................................................... 14

Alternate Methods – Aureport ................................................................................................................... 15


1 | P a g e

Overview

It is always a good to have a look various logs on your server to determine who has logged in successfully

and who has had failed attempts at logging in. More importantly with a server is connected to the public

IP address. It also helps administrator to keep trail of administrator activities.

Applies To

CentOS 7, RHEL 7

Pre-requisites

In order to run the commands described in this guide; packages that has to be installed.

audit

audit-libs

Install Audit Packages

By default audit packages are installed, in case you need to install run the below command; audit-libs is a

dependency package.

yum install audit audit-libs -y

Components, Tools and Configuration Files

There are three major components for Auditing on a box.

Kernel

audit Hooks into the kernel to capture events and delivers them to auditd daemon

Binaries

auditd A daemon to capture events and store them in auditd.log file

auditctl Audit tool to configure auditd on the server

audispd Daemon to multiplex events

aureport Reporting tool which reads from auditd.log file

ausearch Looks-up events in auditd.log file

autrace Using audit component in kernel to trace binaries

aulast Similar to last, but utilizes audit framework

aulastlog Similar to lastlog, but again utilizes audit framework

ausyscall Map syscall ID and name

auvirt Displaying audit information regarding virtual machines


2 | P a g e

Files

audit.rules Rules defined is utilized by auditctl

auditd.conf Configuration file of auditd daemon

Auditctl - Attributes / Parameters

Audit control tool is managed by rules and the parameters associated to each rule.

Audit Control - Rules Table

-w This parameter will add / insert a watch for the file system object at path.

-W This parameter will remove a watch for the file system object at path.

-f [0..2] Set failure flag which can be set between 0 - 2 wherein; 0=silent 1=printk 2=panic

-e [0..2] Set enabled flag which can be set between 0 - 2 wherein; 0= disable auditing 1=enable auditing 2= lock the audit configuration

-k Key

-p [rwxa] this parameter describes the permission access type that a file system watch will trigger on rwxa; see Permissions Table

-D Delete all audit rules

Audit Control - Permissions Table

r Read permission; if a file is opened for reading

w write permission; if a file is opened for writing

x execute permission; if a file is opened for execution

a attribute permission; if a file attribute is changed

Audit Control - Actions

never No audit records will be generated. This can be used to suppress event generation.

always Allocate an audit context, always fill it in at syscall entry time, and always write out a record at syscall exit time.


3 | P a g e

Manage Audit Rules

One of the main purpose of audit rule(s) is to keep track of files that have been read, modified or executed

by a user are being monitored; which will ensure engineers to perform administrative actions that their

role defines or requires.

List Audit Rules

First up, before you configure a new rule it’s always a good idea to list of audit rules that are already

configured. To know rules configure run the below command, the command will list rules defined from

the file “/etc/audit/audit.rules”.

auditctl -l

Add Audit Rules

In order to add a watch / audit files, you need to add a rule, we will add few audit rules.

Add Audit Rule – Shadow File

To audit password shadow file run the below command with key “shadow-file”; we will watch for

permissions “r,w,x,a”.

auditctl -w /etc/shadow -k shadow-file -p rwxa


4 | P a g e

Add Audit Rule – Password File

To audit password file run the below command with key “password-file”; we will watch for permissions

“r,w,a”.

auditctl -w /etc/passwd -p war -k password-file

Add Audit Rule – SSH Config File

To audit SSH daemon main configuration file run the below command with key “sshconfig”; we will watch

for permissions “r,w,a,x”.

auditctl -w /etc/ssh/sshd_config -p rwax -k sshconfig-file

Add Audit Rule – hosts File

To audit hosts file run the below command with key “hosts-file”; we will watch for permissions “w,a”.

auditctl -w /etc/hosts -p wa -k hosts-file

Add Audit Rule – Directory

If you would like to watch a specific directory on a host, run the command below

auditctl -w /etc/security -k "/etc/secturity"

Note: it’s a good idea to add a rule with “key”, because it helps in search by a show rules based on key.


5 | P a g e

Audit Delete Rules

If the host or a rule(s) that are no longer required to be audited / watched. You need delete the audit rules

that are no longer required.

Delete Rules – All Rules

At times you would want to delete all rules defined run the below command, this command will remove

all rules defined in “audit.rules” file.

auditctl -D

Delete Rules – By Key

To delete rules based on the key run the below command, this command will remove all rules defined in

“audit.rules” file.

auditctl -D -key password-file


6 | P a g e

Delete Rules – Matching Rule

To delete matching rule, run the below command, this command will remove all rules defined in

“audit.rules” file. You have to match the actual rule to remove it.

auditctl -W /etc/passwd -p rwa -k password-file

Audit Query / Search

Ausearch is audit daemon query tool, there are many ways that you can perform different kind of audits.

A few of them have been listed and shown here.

Audit Query – By File

Search for an events matching for the given filename.

ausearch -f /etc/passwd


7 | P a g e

Audit Query – By key

Search for an events matching for the given key defined while creating the audit rules.

ausearch -k password-file

Audit Query – By Exit Code

Search for an event matching the exit code. Exit codes can be interpreted in the error file

“/usr/include/asm-generic/errno-base.h”

ausearch -e 1


8 | P a g e

Audit Query – By Executable

Search for an event matching the executable, run the command below.

ausearch -x ls

Audit Query – By UserID

Search for an events matching based on the user ID.

ausearch -ui 1000


9 | P a g e

Audit Query – By User LoginID

Query for events matching for the user Login ID and display them.

ausearch -ul 1000

Audit Query – By GroupID

Query for events matching for the group id and display them.

ausearch -gi 1000

Audit Query – By UUID

Query for events matching for the UUID and display them.

ausearch -uu 1000


10 | P a g e

Audit Query – By Hostname

Query for events matching for the hostname and display them.

ausearch -hn vcptest

Audit Reports

It’s a tool that delivers audit summary reports of the audit system logs.

Audit Report – Summary

aureport –summary


11 | P a g e

Audit Report – Report Authentication Attempts

List all the events irrespective of success or failed.

aureport -au

Audit Report – Report Authentication Failed Attempts

List all the events that have failed.

aureport -au | grep "no "


12 | P a g e

Audit Report – Report Login Success Attempts

aureport --success -l

Audit Report – Report Login Failed Attempts

aureport --failed -l

Audit Report – Report Login Failed Attempts

aureport -m


13 | P a g e

Audit Report – Report Filter by Timestamp

aureport --start 09/20/2015 00:00:00 --end 09/21/2015 00:00:00


14 | P a g e

Audit Report – Report Find Syscall

For each command execution syscall is associated in the audit log. Run the command “ausearch gi 1000 -

-just-one”

Different System Calls and its Mapping

ausyscall 2

Open

ausyscall 188

setxattr

ausyscall 191

getxattr


15 | P a g e

Alternate Methods – Aureport

cat /var/log/secure | grep 'sshd.*Failed'

cat /var/log/secure | grep 'sshd.*opened'

cat /var/log/secure | grep 'login.*tty'

how to install and generate audit reports in centos 7 or rhel 7

Technology