« Previous 1 2
Monitoring events with the Audit daemon
Watchful Spirit
Viewing Log Files
The ausearch command can also be used to view the log data in the /var/log/audit/audit.log file. You can use a variety of filters to search specifically for particular events. For example, Listing 2 shows the command that searches the log for user login events and then displays them.
Listing 2
Simple Search
# ausearch -m USER_LOGIN ---- time->Sat Jun 28 20:14:10 2014 type=USER_LOGIN msg=audit(1403979250.412:116733): pid=31587 uid=0 auid=1000 ses=1445 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=localhost addr=::1 terminal=/dev/pts/9 res=success'
With the -ts option, you can look for user logins from a certain point in time; -te, on the other hand, limits the search up to a point in time. To see log entries that were generated on the basis of the previously presented file access rules, use the -k option.
Listing 3 shows an example with a number of options combined. Here, ausearch shows all access attempts on the file connected with the hosts-file key. A similar rule was set up previously using auditctl. The ausearch command also is instructed to limit the output to events with today's date and to user access cases in which the login UID is 1000.
Listing 3
Combined Search
# ausearch -k hosts-file -ts today -ul 1000 ---- time->Tue Jul 1 16:36:00 2014 type=PATH msg=audit(1404225360.791:124138): item=0 name="/etc/hosts" inode=2755966 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL type=CWD msg=audit(1404225360.791:124138): cwd="/home/tscherf" type=SYSCALL msg=audit(1404225360.791:124138): arch=c000003e syscall=2 success=yes exit=3 a0=7fff67b1e9fc a1=0 a2=1fffffffffff0000 a3=3109e85ad0 items=1 ppid=7144 pid=11992 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1748 comm="cat" exe="/usr/bin/cat" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key="hosts-file"
Conclusions
The Audit daemon is a very powerful logging framework for Linux systems, and it comes with some prebuilt rulesets, which can serve as a basis for further rules. These ready-made rulesets can be found in the /usr/share/doc/audit/ directory on a Red Hat or Fedora system. To enable a rule, simply copy the file you want to the /etc/audit/ directory. @LE"
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Auditing Docker Containers in a DevOps Environment
The handy auditd package can help track down weaknesses in your system before, during, or after an attack. -
Investigating container security with auditd
The handy auditd package can help track down weaknesses in your system before, during, or after an attack. -
Managing containers with Podman
The Podman container management tool does not use a daemon in the background, like its counterpart Docker, and can operate in non-privileged mode. -
Monitoring changes in Active Directory with built-in tools
Monitoring with built-in Windows tools can prevent the worst from happening after an attempted attack.