Monitoring events with the Audit daemon

Watchful Spirit

Viewing Log Files

The ausearch command can also be used to view the log data in the /var/log/audit/audit.log file. You can use a variety of filters to search specifically for particular events. For example, Listing 2 shows the command that searches the log for user login events and then displays them.

Listing 2

Simple Search

# ausearch -m USER_LOGIN
----
time->Sat Jun 28 20:14:10 2014
type=USER_LOGIN msg=audit(1403979250.412:116733): pid=31587 uid=0 auid=1000
  ses=1445 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000
  exe="/usr/sbin/sshd" hostname=localhost addr=::1 terminal=/dev/pts/9 res=success'

With the -ts option, you can look for user logins from a certain point in time; -te, on the other hand, limits the search up to a point in time. To see log entries that were generated on the basis of the previously presented file access rules, use the -k option.

Listing 3 shows an example with a number of options combined. Here, ausearch shows all access attempts on the file connected with the hosts-file key. A similar rule was set up previously using auditctl. The ausearch command also is instructed to limit the output to events with today's date and to user access cases in which the login UID is 1000.

Listing 3

Combined Search

# ausearch -k hosts-file -ts today -ul 1000
----
time->Tue Jul 1 16:36:00 2014
type=PATH msg=audit(1404225360.791:124138): item=0 name="/etc/hosts"
  inode=2755966 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
  obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL type=CWD
  msg=audit(1404225360.791:124138): cwd="/home/tscherf"
type=SYSCALL msg=audit(1404225360.791:124138): arch=c000003e syscall=2
  success=yes exit=3 a0=7fff67b1e9fc a1=0 a2=1fffffffffff0000 a3=3109e85ad0
  items=1 ppid=7144 pid=11992 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
  fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1748 comm="cat"
  exe="/usr/bin/cat" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key="hosts-file"

Conclusions

The Audit daemon is a very powerful logging framework for Linux systems, and it comes with some prebuilt rulesets, which can serve as a basis for further rules. These ready-made rulesets can be found in the /usr/share/doc/audit/ directory on a Red Hat or Fedora system. To enable a rule, simply copy the file you want to the /etc/audit/ directory. @LE"

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=