1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
documentation_complete: true
{{% if product == 'rhel10' %}}
{{% set audit_loading_systemd_directive="ExecStart" %}}
{{% set audit_loading_systemd_directive_suffix="=" %}}
{{% set audit_loading_service_file="audit-rules.service" %}}
{{% else %}}
{{% set audit_loading_systemd_directive="ExecStartPost" %}}
{{% set audit_loading_service_file="auditd.service" %}}
{{% set audit_loading_systemd_directive_suffix="=-" %}}
{{% endif %}}
title: 'System Accounting with auditd'
description: |-
The audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, <tt>auditd</tt> has modest disk space
requirements, and should not noticeably impact system performance.
<br /><br />
NOTE: The Linux Audit daemon <tt>auditd</tt> can be configured to use
the <tt>augenrules</tt> program to read audit rules files (<tt>*.rules</tt>)
located in <tt>/etc/audit/rules.d</tt> location and compile them to create
the resulting form of the <tt>/etc/audit/audit.rules</tt> configuration file
during the daemon startup (default configuration). Alternatively, the <tt>auditd</tt>
daemon can use the <tt>auditctl</tt> utility to read audit rules from the
<tt>/etc/audit/audit.rules</tt> configuration file during daemon startup,
and load them into the kernel. The expected behavior is configured via the
appropriate <tt>{{{ audit_loading_systemd_directive }}}</tt> directive setting in the
<tt>/usr/lib/systemd/system/{{{ audit_loading_service_file }}}</tt> configuration file.
To instruct the <tt>auditd</tt> daemon to use the <tt>augenrules</tt> program
to read audit rules (default configuration), use the following setting:
<br /> <pre>{{{ audit_loading_systemd_directive ~ audit_loading_systemd_directive_suffix }}}/sbin/augenrules --load</pre>
in the <tt>/usr/lib/systemd/system/{{{ audit_loading_service_file }}}</tt> configuration file.
In order to instruct the <tt>auditd</tt> daemon to use the <tt>auditctl</tt>
utility to read audit rules, use the following setting:
<br /> <pre>{{{ audit_loading_systemd_directive ~ audit_loading_systemd_directive_suffix }}}/sbin/auditctl -R /etc/audit/audit.rules</pre>
in the <tt>/usr/lib/systemd/system/{{{ audit_loading_service_file }}}</tt> configuration file.
Refer to <tt>[Service]</tt> section of the <tt>/usr/lib/systemd/system/{{{ audit_loading_service_file }}}</tt>
configuration file for further details.
<br /><br />
Government networks often have substantial auditing
requirements and <tt>auditd</tt> can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Red Hat Enterprise Linux 7 Documentation available at
<tt>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the <tt>/var/www/html/file1</tt> file (labeled with
the <tt>samba_share_t</tt> type):
<pre>type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre>
<ul>
<li><tt>msg=audit(1226874073.147:96)</tt>
<ul><li>The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
<tt>date</tt> command.
</li></ul>
</li>
<li><tt>{ getattr }</tt>
<ul><li>The item in braces indicates the permission that was denied. <tt>getattr</tt>
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include <tt>getattr</tt>,
<tt>read</tt>, and <tt>write</tt>.</li></ul>
</li>
<li><tt>comm="httpd"</tt>
<ul><li>The executable that launched the process. The full path of the executable is
found in the <tt>exe=</tt> section of the system call (<tt>SYSCALL</tt>) message,
which in this case, is <tt>exe="/usr/sbin/httpd"</tt>.
</li></ul>
</li>
<li><tt>path="/var/www/html/file1"</tt>
<ul><li>The path to the object (target) the process attempted to access.
</li></ul>
</li>
<li><tt>scontext="unconfined_u:system_r:httpd_t:s0"</tt>
<ul><li>The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the <tt>httpd_t</tt> domain.
</li></ul>
</li>
<li><tt>tcontext="unconfined_u:object_r:samba_share_t:s0"</tt>
<ul><li>The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of <tt>file1</tt>. Note: the <tt>samba_share_t</tt>
type is not accessible to processes running in the <tt>httpd_t</tt> domain.</li>
</ul>
</li>
<li> From the system call (<tt>SYSCALL</tt>) message, two items are of interest:
<ul><li><tt>success=no</tt>: indicates whether the denial (AVC) was enforced or not.
<tt>success=no</tt> indicates the system call was not successful (SELinux denied
access). <tt>success=yes</tt> indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as <tt>initrc_t</tt>
and <tt>kernel_t</tt>.
</li>
<li><tt>exe="/usr/sbin/httpd"</tt>: the full path to the executable that launched
the process, which in this case, is <tt>exe="/usr/sbin/httpd"</tt>.
</li></ul>
</li></ul>
platform: system_with_kernel
|
