Linux Security

Auditd Linux Tutorial

What is Auditd?

Auditd is the userspace component to the Linux Auditing System. Auditd is short for Linux Audit Daemon. In Linux, daemon is referred to as background running service and there is a ‘d’ attached at the end of the application service as it runs in the background. The job of auditd is to collect and write log files of audit to the disk as a background service

Why use auditd?

This Linux service provides the user a security auditing aspect in Linux. The logs that are collected and saved by auditd, are different activities performed in the Linux environment by the user and if there is a case where any user wants to enquire what other users have been doing in corporate or multiple-user environment, that user can gain access to this kind of information in a simplified and minimized form, which are known as logs. Also, if there has been an unusual activity on a user’s system, let’s say his system was compromised, then the user can track back and see how its system was compromised and this can also help in many cases for incident responding.

Basics of auditd

The user can search through the saved logs by auditd using ausearch and aureport utilities. The audit rules are in the directory, /etc/audit/audit.rules which can be read by auditctl on startup. Also, these rules can also be modified using auditctl. There is auditd configuration file available at /etc/audit/auditd.conf.

Installation

In debian-based Linux distributions, following command can be used to install auditd, if not already installed:

ubuntu@ubuntu:~$ sudo apt-get install auditd audispd-plugins

Basic command for auditd:

For starting auditd:

$ service auditd start

For stopping auditd:

$ service auditd stop

For restarting auditd:

$ service auditd restart

For fetching auditd status:

$ service auditd status

For conditional restarting auditd:

$ service auditd condrestart

For reload auditd service:

$ service auditd reload

For rotating auditd logs:

$ service auditd rotate

For checking auditd configurations output:

$ chkconfig --list auditd

What information can be recorded in logs?

  • Timestamp and event information such as type and outcome of an event.
  • Event triggered along with the user who triggered it.
  • Changes to audit configuration files.
  • Access attempts for audit log files.
  • All authentication events with the authenticated users such as ssh, etc.
  • Changes to sensitive files or databases such as passwords in /etc/passwd.
  • Incoming and outgoing information from and to the system.

Other utilities related to audit:

Some other important utilities related to audit are given below. We will only discuss a few of them in detail, which are commonly used.

auditctl:

This utility is used to get behavior status of audit, set, change or update audit configurations. Syntax for auditctl usage is:

auditctl [options]

Following are the options or flag that are mostly used:

-w

To add a watch to a file which means audit will keep an eye on that file and add user activities related to that file to logs.

-k

To input a filter key or name to specified configuration.

-p

To add a filter based upon the permission of files.

-S

To suppress log capturing for a configuration.

-a

To get all the results for the specified input of this option.

For example, to add a watch on /etc/shadow file with filtered keyword ‘shadow-key’ and with permissions as ‘rwxa’:

$ auditctl -w /etc/shadow -k shadow-file -p rwxa

aureport:

This utility is used for generating audit log summary reports from the recorded logs. The report input can also be raw logs data that is fed to aureport using stdin. Basic syntax for aureport usage is:

aureport [options]

Some of the basic and most commonly used aureport options are as under:

-k

To generate a report based upon the keys specified in the audit rules or configurations.

-i

To display textual information rather than numerical information like id, such as displaying username instead of userid.

-au

To generate report of the authentication attempts for all users.

-l

To generate report displaying the login information of the users.

ausearch:

This utility is searching tool for audit logs or events. The search results are displayed in return, based upon different search queries. Like aureport, these search queries can also be raw logs data that is fed to ausearch using stdin. By default, ausearch queries the logs placed at /var/log/audit/audit.log, which can be directly displayed or accessed as typing command as below:

$ cat /var/log/audit/audit.log

The simple syntax for using ausearch is:

ausearch [options]

Also, there are certain flags that can be used with ausearch command, some commonly used flags are:

-p

This flag is used to input process IDs to search queries for logs, e.g., ausearch -p 6171.

-m

This flag is used to search for specific strings in log files, e.g., ausearch -m USER_LOGIN.

-sv

This option is success values if the user is querying success value for specific part of logs. This flag is often used with -m flag such as ausearch -m USER_LOGIN -sv no.

-ua

This option is used to input a username filter for the search query, e.g., ausearch -ua root.

-ts

This option is used to input a timestamp filter for the search query, e.g., ausearch -ts yesterday.

auditspd:

This utility is used as a daemon for multiplexing of events.

autrace:

This utility is used for tracing binaries using audit components.

aulast:

This utility shows the latest activities recorded in logs.

aulastlog:

This utility shows the latest login information of all the users or a given user.

ausyscall:

This utility allows the mapping of system call names and numbers.

auvirt:

This utility shows the audit information specifically for the virtual machines.

Concluding

Although Linux Auditing is a relatively advanced topic for non-technical Linux users but letting the users decide for themselves, is what Linux offers. Unlike other operating systems, Linux operating systems tend to keep their users in control of their own environment. Also being a novice or non-technical user, one should always be learning for one’s own growth. Hope this article helped you in learning something new and useful.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14