Using audit in Linux to track system changes and unauthorized access

by

The 2.6 Linux kernel has the ability to log events such as system calls and file access. These logs can
then be reviewed by the administrator to determine possible security breaches such as failed login attempts or a user failing to access system files. This functionality, called the Linux Auditing System.
Make sure audit package is installed in your machine

# rpm -qa | grep audit

You can install the same in Red Hat machines using

NOTE:

On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
# yum install audit

 

Keeping track of any directory or file (visits and changes)

The Linux Auditing System also allows administrators to watch files and directories. If a watch is placed on a file or directory, successful and failed actions such as opening and executing the file or directory are logged.
 

Creating an audit rule

# vi /etc/audit/audit.rules
# Feel free to add below this line. See auditctl man page
-w /home/deepak/test -k TEST
-w : To ad a watch for the given file or directory
-k : To assign a key which makes things simpler while generating report logs

Restart the audits service

# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

Now we will try to access the file and make some changes to cross verify our audit log.
I will login as different user

# su - deepak
$ cd test
$ pwd
/home/deepak/test
$ touch myfile
$ ls

Now lets check the audit logs. (This is a part of my log file)

# cat /var/log/audit/audit.log | grep TEST
type=SYSCALL msg=audit(1367571999.615:46623): syscall=229 success=no exit=-61 a0=bfa2d2b0 a1=abdafc a2=bfa2d25c a3=14 items=1 ppid=11639 pid=11750 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=pts3 ses=7643 comm="ls" exe="/bin/ls" key="TEST"

Now as you see you CAN get all the required info from the logs but it looks really messy and you will have to dig a lot to get some useful information from these logs. Now another simpler and cleaner way to do the same thing is using aureport

# aureport -k -i | grep TEST
Key Report
===============================================
# date time key success exe auid event
===============================================
108. 05/03/2013 14:39:46 TEST yes /bin/touch deepak 46629
109. 05/03/2013 14:39:59 TEST yes /bin/ls deepak 46633

So as you can see a successful attempt was made to access the test directory by user deepak and the commands used are also listed out.
 

Keeping track of all the login attempts

This command will show all the successfully logged in users from the host IP address.

# aureport -au -i --success
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 10/12/2013 17:56:50 root ? :0 /usr/libexec/gdm-session-worker yes 19
 2. 10/12/2013 18:07:10 root 10.10.10.54 ssh /usr/sbin/sshd yes 41
3. 10/12/2013 18:07:10 root 10.10.10.40 ssh /usr/sbin/sshd yes 44
4. 10/15/2013 10:45:10 root 10.10.10.67 ssh /usr/sbin/sshd yes 481
5. 10/15/2013 10:45:10 root 10.10.10.234 ssh /usr/sbin/sshd yes 484
6. 10/15/2013 10:47:49 root 10.10.10.34 ssh /usr/sbin/sshd yes 498
7. 10/15/2013 10:47:49 root 10.10.10.67 ssh /usr/sbin/sshd yes 501

This command will show all the failed login attempts

# aureport -au -i --failed
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 03/26/2013 14:25:33 root 10.10.10.40 ssh /usr/sbin/sshd no 7256
2. 03/26/2013 14:25:33 root 10.10.10.40 ssh /usr/sbin/sshd no 7257
3. 03/26/2013 14:25:38 root 10.10.10.40 ssh /usr/sbin/sshd no 7258
4. 03/26/2013 14:25:38 root 10.10.10.40 ssh /usr/sbin/sshd no 7259

 

Keeping track of all events by a user

Here 501 is the uid for user "deepak" which you can check using id command ans shown below

# id deepak
uid=501(deepak) gid=501(TESTusers) groups=501(TESTusers)
# ausearch -ui 501 --interpret
----
type=USER_LOGIN msg=audit(01/27/14 22:30:06.451:798782) : user pid=9755 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/5 res=success)'
----
type=USER_LOGIN msg=audit(01/27/14 22:34:25.079:798813) : user pid=10101 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/6 res=success)'
----
type=USER_LOGIN msg=audit(01/28/14 05:44:48.722:801728) : user pid=6623 uid=root auid=deepak msg='uid=deepak exe=/usr/sbin/sshd (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/7 res=success)'
----

 

Keeping track of all events for a specific date and time

# ausearch -ui 501 --start 02/01/14 00:00:00 --end 02/02/14 00:00:00
----
time->Fri Jan 31 23:43:18 2014
type=USER_LOGIN msg=audit(1391229798.400:838010): user pid=3615 uid=0 auid=501 msg='uid=501: exe="/usr/sbin/sshd" (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/4 res=success)'
----
time->Sat Feb  1 01:16:43 2014
type=USER_LOGIN msg=audit(1391235403.305:838649): user pid=10238 uid=0 auid=501 msg='uid=501: exe="/usr/sbin/sshd" (hostname=server1.example.com, addr=210.12.324.154, terminal=/dev/pts/4 res=success)'

 

Keeping track of all the events related to account modifications

# aureport -m
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd deepak yes 46449
2. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd ? yes 46451
3. 05/03/2013 13:52:39 0 ? pts/1 /usr/sbin/useradd ? yes 46452
4. 05/03/2013 13:52:47 0 ? pts/1 /usr/bin/passwd deepak yes 46473
5. 05/03/2013 13:52:47 0 ? pts/1 /usr/bin/passwd ? yes 46474

 

To list all the audit report

# aureport
Summary Report
======================
Range of time in logs: 10/12/2012 17:44:28.795 - 05/03/2013 14:56:20.388
Selected time for report: 10/12/2012 17:44:28 - 05/03/2013 14:56:20.388
Number of changes in configuration: 17
Number of changes to accounts, groups, or roles: 5
Number of logins: 27
Number of failed logins: 3
Number of authentications: 59
Number of failed authentications: 4
Number of users: 3
Number of terminals: 14
Number of host names: 3
Number of executables: 20
Number of files: 12
Number of AVC's: 1
Number of MAC events: 8
Number of failed syscalls: 29
Number of anomaly events: 2
Number of responses to anomaly events: 0
Number of crypto events: 567
Number of keys: 3
Number of process IDs: 7294
Number of events: 47522

To produce results in more human-readable format such as replacing UIDs with the usernames they map to, also use the -i option:

# aureport - -i

To display the start and stop times for each log, add the -t option:

# aureport - -i -t

To display only failed events use --failed; notice this option is prefixed with two dashes instead of one:

# aureport - -i --failed

To display only successful events use --success; notice this option is prefixed with two dashes instead of one:

# aureport - -i --success

To produce reports from a log file other than the default, specify it with the -if option:

# aureport - -i -if /var/log/audit/audit.log.1

To list all the available flags which can be used with audit

# aureport --help

To list all the rules

# auditctl -l
LIST_RULES: exit,always dir=/home/deepak/test (0x11) key=TEST

 
Related Articles
How to track all the successful and failed login attempts by users in Linux
How to check last login time for users in Linux
How to change default login shell permanently in linux