CentOS 8
Sponsored Link

Auditd : Add Audit Rules
2019/09/28
 
It's possible to add your own Audit rules like follows.
[1] For example, Configure Audit rule that records writing and attributes change for [/etc/hosts].
# display current rules (no rules by default like follows)

[root@dlp ~]#
auditctl -l

No rules
# -p [r|w|x|a] : specify target action for Audit

# r=read, w=write, x=execute, a=attributes

# -k [words] : set keys for searching logs

[root@dlp ~]#
auditctl -w /etc/hosts -p wa -k hosts_change

[root@dlp ~]#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
[2] When some actions are set and it is detected by new Audit rules, Audit logs are recorded like follows.
[root@dlp ~]#
ausearch -k hosts_change | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 09/26/2019 21:02:54 /etc/hosts ? yes ? root 156
2. 09/26/2019 21:02:54 /etc/hosts~ rename yes /usr/bin/vi root 157
3. 09/26/2019 21:02:54 /etc/hosts openat yes /usr/bin/vi root 159
4. 09/26/2019 21:02:54 /etc/hosts ? yes ? root 158
5. 09/26/2019 21:02:54 /etc/hosts setxattr yes /usr/bin/vi root 160
6. 09/26/2019 21:02:54 (null) fchmod yes /usr/bin/vi root 161
7. 09/26/2019 21:02:54 /etc/hosts setxattr yes /usr/bin/vi root 162
[3] Rules added by [auditctl] command are not kept after restarting System, so it needs to add them in a file under [/etc/audit/rules.d] if you'd like to keep persistently. It's OK to add rules to any file name you like under [/etc/audit/rules.d], but extension should be [.rules].
# output current rules to [additional.rules]

[root@dlp ~]#
auditctl -l >> /etc/audit/rules.d/additional.rules

[4] If you set a directory for Audit Target, all files are targeted recursively under the directory.
# set Audit rule (reading) to [/home/testdir/]

[root@dlp ~]#
auditctl -w /home/testdir/ -p r -k testdir_audit

[root@dlp ~]#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
-w /home/testdir -p r -k testdir_audit
# logs are recorded like follows

[root@dlp ~]#
ausearch -k testdir_audit | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 09/26/2019 22:07:21 /home/testdir/cent/testfile.txt openat yes /usr/bin/cat root 70
2. 09/26/2019 22:07:42 /home/testdir/cent/testfile.txt openat yes /usr/bin/vi root 77
3. 09/26/2019 22:07:42 /home/testdir/cent/testfile.txt openat yes /usr/bin/vi root 78
[5] For exmaple, Set Audit rule that monitors files removed by users who has over UID 1000.
By the way, for the option by [S] below, you can make sure all System Calls with [man syscalls], maybe after installing [dnf install man-pages].
[root@dlp ~]#
auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit

[root@dlp ~]#
auditctl -l

-w /etc/hosts -p wa -k hosts_change
-a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit
# logs are recorded like follows

[root@dlp ~]#
ausearch -k delete_audit | aureport -f -i


File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 09/26/2019 22:22:33 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd cent 122
2. 09/26/2019 22:22:33 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd cent 123
3. 09/26/2019 22:22:39 test2.txt unlinkat yes /usr/bin/rm cent 128
4. 09/26/2019 22:22:41 test.txt unlinkat yes /usr/bin/rm cent 129
Matched Content