« Previous 1 2
Monitoring events with the Audit daemon
Watchful Spirit
Viewing Log Files
The ausearch
command can also be used to view the log data in the /var/log/audit/audit.log
file. You can use a variety of filters to search specifically for particular events. For example, Listing 2 shows the command that searches the log for user login events and then displays them.
Listing 2
Simple Search
# ausearch -m USER_LOGIN ---- time->Sat Jun 28 20:14:10 2014 type=USER_LOGIN msg=audit(1403979250.412:116733): pid=31587 uid=0 auid=1000 ses=1445 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=localhost addr=::1 terminal=/dev/pts/9 res=success'
With the -ts
option, you can look for user logins from a certain point in time; -te
, on the other hand, limits the search up to a point in time. To see log entries that were generated on the basis of the previously presented file access rules, use the -k
option.
Listing 3 shows an example with a number of options combined. Here, ausearch
shows all access attempts on the file connected with the hosts-file
key. A similar rule was set up previously using auditctl
. The ausearch
command also is instructed to limit the output to events with today's date and to user access cases in which the login UID is 1000
.
Listing 3
Combined Search
# ausearch -k hosts-file -ts today -ul 1000 ---- time->Tue Jul 1 16:36:00 2014 type=PATH msg=audit(1404225360.791:124138): item=0 name="/etc/hosts" inode=2755966 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL type=CWD msg=audit(1404225360.791:124138): cwd="/home/tscherf" type=SYSCALL msg=audit(1404225360.791:124138): arch=c000003e syscall=2 success=yes exit=3 a0=7fff67b1e9fc a1=0 a2=1fffffffffff0000 a3=3109e85ad0 items=1 ppid=7144 pid=11992 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1748 comm="cat" exe="/usr/bin/cat" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key="hosts-file"
Conclusions
The Audit daemon is a very powerful logging framework for Linux systems, and it comes with some prebuilt rulesets, which can serve as a basis for further rules. These ready-made rulesets can be found in the /usr/share/doc/audit/
directory on a Red Hat or Fedora system. To enable a rule, simply copy the file you want to the /etc/audit/
directory. @LE"
« Previous 1 2
Buy this article as PDF
(incl. VAT)