• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Friday, May 03, 2013

    Using audit in Linux to track system changes and unauthorized access

    The 2.6 Linux kernel has the ability to log events such as system calls and file access. These logs can
    then be reviewed by the administrator to determine possible security breaches such as failed login attempts or a user failing to access system files. This functionality, called the Linux Auditing System.

    Make sure audit package is installed in your machine
    # rpm -qa | grep audit
    You can install the same in Red Hat machines using
    # yum install audit

    Keeping track of any directory or file (visits and changes)

    The Linux Auditing System also allows administrators to watch files and directories. If a watch is placed on a file or directory, successful and failed actions such as opening and executing the file or directory are logged.

    Creating an audit rule

    # vi /etc/audit/audit.rules
    # Feel free to add below this line. See auditctl man page
    -w /home/deepak/test -k TEST

    -w : To ad a watch for the given file or directory
    -k : To assign a key which makes things simpler while generating report logs
    # /etc/init.d/auditd restart
    Stopping auditd:                                           [  OK  ]
    Starting auditd:                                           [  OK  ]

    Now we will try to access the file and make some changes to cross verify our audit log.

    I will login as different user
    # su - deepak

    $ cd test
    $ pwd
    /home/deepak/test
    $ touch myfile
    $ ls

    Now lets check the audit logs. (This is a part of my log file)
    # cat /var/log/audit/audit.log | grep TEST
    type=SYSCALL msg=audit(1367571999.615:46623): syscall=229 success=no exit=-61 a0=bfa2d2b0 a1=abdafc a2=bfa2d25c a3=14 items=1 ppid=11639 pid=11750 auid=500
    uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=pts3 ses=7643 comm="ls" exe="/bin/ls" key="TEST"

    Now as you see you CAN get all the required info from the logs but it looks really messy and you will have to dig a lot to get some useful information from these logs. Now another simpler and cleaner way to do the same thing is using aureport
    # aureport -k -i | grep TEST

    Key Report
    ===============================================
    # date time key success exe auid event
    ===============================================
    108. 05/03/2013 14:39:46 TEST yes
    /bin/touch deepak 46629
    109. 05/03/2013 14:39:59 TEST yes /bin/ls deepak 46633

    So as you can see a successful attempt was made to access the test directory by user deepak and the commands used are also listed out.

    Keeping track of all the login attempts

    This command will show all the successfully logged in users from the host IP address.
    # aureport -au -i --success

    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 10/12/2013 17:56:50 root ? :0 /usr/libexec/gdm-session-worker yes 19
     2. 10/12/2013 18:07:10 root 10.10.10.54 ssh /usr/sbin/sshd yes 41
    3. 10/12/2013 18:07:10 root 10.10.10.40 ssh /usr/sbin/sshd yes 44
    4. 10/15/2013 10:45:10 root 10.10.10.67 ssh /usr/sbin/sshd yes 481
    5. 10/15/2013 10:45:10 root 10.10.10.234 ssh /usr/sbin/sshd yes 484
    6. 10/15/2013 10:47:49 root 10.10.10.34 ssh /usr/sbin/sshd yes 498
    7. 10/15/2013 10:47:49 root 10.10.10.67 ssh /usr/sbin/sshd yes 501

    This command will show all the failed login attempts
    # aureport -au -i --failed

    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 03/26/2013 14:25:33 root 10.10.10.40 ssh /usr/sbin/sshd no 7256
    2. 03/26/2013 14:25:33 root 10.10.10.40 ssh /usr/sbin/sshd no 7257
    3. 03/26/2013 14:25:38 root 10.10.10.40 ssh /usr/sbin/sshd no 7258
    4. 03/26/2013 14:25:38 root 10.10.10.40 ssh /usr/sbin/sshd no 7259

    Keeping track of all events by a user

    Here 501 is the uid for user "deepak" which you can check using id command ans shown below
    # id deepak
    uid=
    501(deepak) gid=501(TEST\users) groups=501(TEST\users)

    # ausearch -ui 501 --interpret
    ----
    type=USER_LOGIN msg=audit(01/27/14 22:30:06.451:798782) : user pid=9755 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/5 res=success)'
    ----
    type=USER_LOGIN msg=audit(01/27/14 22:34:25.079:798813) : user pid=10101 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/6 res=success)'
    ----
    type=USER_LOGIN msg=audit(01/28/14 05:44:48.722:801728) : user pid=6623 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/7 res=success)'
    ----

    Keeping track of all events for a specific date and time

    # ausearch -ui 501 --start 02/01/14 00:00:00 --end 02/02/14 00:00:00
    ----
    time->Fri Jan 31 23:43:18 2014
    type=USER_LOGIN msg=audit(1391229798.400:838010): user pid=3615 uid=0 auid=501 msg='uid=501: exe="/usr/sbin/sshd" (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/4 res=success)'
    ----
    time->Sat Feb  1 01:16:43 2014
    type=USER_LOGIN msg=audit(1391235403.305:838649): user pid=10238 uid=0 auid=501 msg='uid=501: exe="/usr/sbin/sshd" (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/4 res=success)'

    Keeping track of all the events related to account modifications

    # aureport -m

    Account Modifications Report
    =================================================
    # date time auid addr term exe acct success event
    =================================================
    1. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd deepak yes 46449
    2. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd ? yes 46451
    3. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd ? yes 46452
    4. 05/03/2013 13:52:47 0 ? pts/1 /usr/bin/passwd deepak yes 46473
    5. 05/03/2013 13:52:47 0 ? pts/1 /usr/bin/passwd ? yes 46474

    To list all the audit report

    # aureport

    Summary Report
    ======================
    Range of time in logs: 10/12/2012 17:44:28.795 - 05/03/2013 14:56:20.388
    Selected time for report: 10/12/2012 17:44:28 - 05/03/2013 14:56:20.388
    Number of changes in configuration: 17
    Number of changes to accounts, groups, or roles: 5
    Number of logins: 27
    Number of failed logins: 3
    Number of authentications: 59
    Number of failed authentications: 4
    Number of users: 3
    Number of terminals: 14
    Number of host names: 3
    Number of executables: 20
    Number of files: 12
    Number of AVC's: 1
    Number of MAC events: 8
    Number of failed syscalls: 29
    Number of anomaly events: 2
    Number of responses to anomaly events: 0
    Number of crypto events: 567
    Number of keys: 3
    Number of process IDs: 7294
    Number of events: 47522

    To produce results in more human-readable format such as replacing UIDs with the usernames they map to, also use the -i option:
    # aureport -<flag> -i
    To display the start and stop times for each log, add the -t option:
    # aureport -<flag> -i -t
    To display only failed events use --failed; notice this option is prefixed with two dashes instead of one:
    # aureport -<flag> -i --failed
    To display only successful events use --success; notice this option is prefixed with two dashes instead of one:
    # aureport -<flag> -i --success
    To produce reports from a log file other than the default, specify it with the -if option:
    # aureport -<flag> -i -if /var/log/audit/audit.log.1
    To list all the available flags which can be used with audit
    # aureport --help
    To list all the rules
    # auditctl -l
    LIST_RULES: exit,always dir=/home/deepak/test (0x11) key=TEST


    Related Articles
    How to track all the successful and failed login attempts by users in Linux
    How to check last login time for users in Linux
    How to change default login shell permanently in linux

    Follow the below links for more tutorials


    0 comments:

    Post a Comment