Auditd : Add Audit Rules
2025/01/02 |
It's possible to add your own Audit rules like follows. |
|
[1] | For example, Configure Audit rule that records writing and attributes change for [/etc/hosts]. |
# display current rules (no rules by default like follows) [root@dlp ~]# auditctl -l No rules # perm : [r|w|x|a] : specify target action for Audit # ⇒ r=read, w=write, x=execute, a=attributes # key : [words] : set keys for searching logs [root@dlp ~]# auditctl -a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=hosts_change [root@dlp ~]# auditctl -l -a always,exit -F arch=b64 -S open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2 -F path=/etc/hosts -F perm=wa -F key=hosts_change |
[2] | When some actions are set and it is detected by new Audit rules, Audit logs are recorded like follows. |
[root@dlp ~]# ausearch -k hosts_change | aureport -f -i File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 01/02/2025 15:15:37 /etc/hosts~ rename yes /usr/bin/vim root 124 2. 01/02/2025 15:15:37 /etc/hosts openat yes /usr/bin/vim root 125 3. 01/02/2025 15:15:37 /etc/hosts setxattr yes /usr/bin/vim root 126 4. 01/02/2025 15:15:37 /etc/hosts setxattr yes /usr/bin/vim root 127 5. 01/02/2025 15:15:37 (null) fchmod yes /usr/bin/vim root 128 6. 01/02/2025 15:15:37 /etc/hosts setxattr yes /usr/bin/vim root 129 |
[3] | Rules added by [auditctl] command are not kept after restarting System, so it needs to add them in a file under [/etc/audit/rules.d] if you'd like to keep persistently. It's OK to add rules to any file name you like under [/etc/audit/rules.d], but extension should be [.rules]. |
# output current rules to [additional.rules] [root@dlp ~]# auditctl -l >> /etc/audit/rules.d/additional.rules |
[4] | If you set a directory for Audit Target, all files are targeted recursively under the directory. |
# set Audit rule (reading) to [/home/testdir/] [root@dlp ~]# auditctl -a always,exit -F arch=b64 -F dir=/home/testdir -F perm=r -F key=testdir_audit [root@dlp ~]# auditctl -l -a always,exit -F arch=b64 -S open,readlink,quotactl,getxattr,lgetxattr,fgetxattr,listxattr,llistxattr,flistxattr,openat,readlinkat,openat2 -F dir=/home/testdir -F perm=r -F key=testdir_audit # logs are recorded like follows [root@dlp ~]# ausearch -k testdir_audit | aureport -f -i File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 01/02/2025 15:29:08 /home/testdir sendto yes /usr/sbin/auditctl root 123 2. 01/02/2025 15:30:43 /home/testdir/testfolder/text.txt openat yes /usr/bin/cat root 124 3. 01/02/2025 15:30:50 /home/testdir/testfolder lgetxattr yes /usr/bin/ls root 125 4. 01/02/2025 15:30:50 /home/testdir/testfolder listxattr yes /usr/bin/ls root 126 5. 01/02/2025 15:30:50 /home/testdir/testfolder openat yes /usr/bin/ls root 127 6. 01/02/2025 15:30:50 /home/testdir/testfolder/text.txt lgetxattr yes /usr/bin/ls root 128 7. 01/02/2025 15:30:50 /home/testdir/testfolder/text.txt listxattr yes /usr/bin/ls root 129 |
[5] | For exmaple, Set Audit rule that monitors files removed by users who has over UID 1000. By the way, for the option by [S] below, you can make sure all System Calls with [man syscalls], maybe after installing [dnf install man-pages]. |
[root@dlp ~]# auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit [root@dlp ~]# auditctl -l -a always,exit -F arch=b64 -S open,readlink,quotactl,getxattr,lgetxattr,fgetxattr,listxattr,llistxattr,flistxattr,openat,readlinkat,openat2 -F dir=/home/testdir -F perm=r -F key=testdir_audit -a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit # logs are recorded like follows [root@dlp ~]# ausearch -k delete_audit | aureport -f -i File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 01/02/2025 15:33:49 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd cent 162 2. 01/02/2025 15:33:49 /run/user/1000/systemd/ unlink no /usr/lib/systemd/systemd cent 163 3. 01/02/2025 15:33:53 testfile.txt unlinkat yes /usr/bin/rm cent 172 |
Sponsored Link |
|