Professional Documents
Culture Documents
A Little Context
Cyber Security is all about managing risk. How do you think about managing risk? The Five Golden Principles of Security
Know your system Principle of Least Privilege Defense in Depth Protection is key but detection is a must. Know your enemy.
Introduction
Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itselfit does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures, like SELinux, to prevent them. Audit consists of several components, each contributing crucial functionality to the overall framework. The audit kernel module intercepts the system calls and records the relevant events.
Introduction (cont.)
The auditd daemon writes the audit reports to disk. Various command line utilities take care of displaying, querying, and archiving the audit trail.
Configuring The Linux Audit Framework Before you can actually start generating audit logs and processing them, you must configure the audit framework. Julius Caesar said, Gallia est omnis divisa in tres partes, and just like Gaul, the configuring the audit framework is divided into three parts:
The Audit Daemon Configuration The Audit Rules The Audispd Daemon Configuration
/etc/audit/auditd.conf
The /etc/audit/auditd.conf configuration file determines how the audit system functions once the daemon has been started. For most use cases, the default settings shipped with the package should suffice. Lets take a look at a sample auditd configuration file.
10
A Sample auditd.conf
log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 dispatcher = /sbin/audispd disp_qos = lossy name_format = NONE ##name = mydomain max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND
11
Setting Up Audit Rules Weve given auditd its marching orders; now we have to define what we are interested in auditing. Audit rules are used to specify which components of your system are audited. There are three basic types of audit rules:
Basic audit system parameters File and directory watches System call audits
Before creating an audit rule set and before rolling it out to your system, carefully determine which components to audit. Extensive auditing can cause a substantial logging load. Remember: First match wins!
12
13
A Sample audit.rules
# basic audit system parameters -D -b 8192 -f 1 -e 1 # some file and directory watches -w /etc/audit/auditd.conf -p rxwa -w /etc/audit/audit.rules -p rxwa -w /var/log/audit/ -w /etc/passwd -p rwxa -w /sbin/auditctl p x # an example system call rule -a entry,always -S umask
14
15
16
Lets say that as a matter of compliance, you have to audit the execution of setuid/setgid binaries on your system. How do you do set that up? First, run a script like this at boot time from /etc/rc.local sending the output to a temp file, /tmp/snorf, for example.
17
#!/bin/bash # Find all the file systems that are locally mounted for i in `/bin/egrep '(ext4|ext3|ext2)' /etc/fstab | /bin/awk '{print $2}'` do # Find all the files on the file system found above and print out # and audit rule for it /usr/bin/find $i -xdev -type f \( -perm -4000 -o -perm 2000 \) -print | \ /bin/sort | /bin/awk '{ print "-a always,exit -F path=" $1 " -F perm=x \ -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high" }' done
18
And you get something like this (YMMV depending on whats installed).
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/bin/ping -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/bin/ping6 -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/bin/su -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high
19
Then, point auditctl at the temp file to add the newly created audit rules. The auditctl program is used to control the behavior, get status, and add or delete rules into the kernels audit system. /sbin/auditctl R /tmp/snorf A couple of things about auditctl:
auditctl is not a filter, so output cannot be piped into it. Rules files for auditctl must be owned by root.
20
21
22
Maybe grep isnt your friend, after all. The raw audit data auditd stores in the /var/log/audit directory is quite complex. To find what you want, you might have to sift through bazillions of other events before you locate the one that you want.
23
To get started, do aureport summary and you get something like this:
24
25
26
27
28
29
30
31
32
33
34
Visualizing Audit Data Relationships (1) To graph the syscalls to programs, do aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n", $6, $4 }' | sort | uniq | mkgraph syscall-vs-program
35
Visualizing Audit Data Relationships (2) To graph to successful programs to files, do LC_ALL=C aureport -f -i --success | awk '/^[0-9]/ { print $7" "$4 }' | sort | uniq | mkgraph program-vs-file
36
Resources
The Audit Manual Pages
There are several man pages installed along with the audit tools that provide valuable and very detailed information: auditd(8) The Linux Audit daemon auditd.conf(5) The Linux Audit daemon configuration file auditctl(8) A utility to assist controlling the kernel's audit system autrace(8) A program similar to strace ausearch(8) A tool to query audit daemon logs aureport(8) A tool that produces summary reports of audit daemon logs audispd.conf(5) The audit event dispatcher configuration file audispd(8) The audit event dispatcher daemon talking to plugin programs.
37
Resources (1)
http://people.redhat.com/sgrubb/audit/index.html The home page of the Linux audit project. This site contains several specifications relating to different aspects of Linux audit, as well as a short FAQ. /usr/share/doc/audit The audit package itself contains a README with basic design information and sample .rules files for different scenarios:
capp.rules: Controlled Access Protection Profile (CAPP) lspp.rules: Labeled Security Protection Profile (LSPP) nispom.rules: National Industrial Security Program Operating Manual Chapter 8(NISPOM) stig.rules: Secure Technical Implementation Guide (STIG)
38
39