Categories
Linux

Audit a file on rhel5 with auditd

Obviously you would need the audit package installed…

Lets say I wanted to audit "test.file" for read, write, execute, and access:

auditctl -w /root/test.file -k test-file -p rwxa

-w: adds the "watch" rule
-k: is the key that you can use to filter the audit logs on
-p: is the permissions that you would like to audit

If you would like this to be a permanent rule .. then you must add it to /etc/audit/audit.rules in  the following format:

-w /root/test.file -k test-file -p rwxa

Now we can take a look at the rules:

auditctl -l

LIST_RULES: exit,always watch=/root/test.file perm=rwxa key=test-file

Now i am going to add some text to test.file and see what the audit says.. I run the ausearch tool to find this out:

ausearch -k test-file
or
ausearch -f test.file

Here are the results:

—-
time->Thu May  1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1252): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1252):  cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1252): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d67 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May  1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1253): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1253):  cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1253): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d38 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May  1 15:04:39 2008
type=PATH msg=audit(1209679479.812:1254): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.812:1254):  cwd="/root"
type=SYSCALL msg=audit(1209679479.812:1254): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=0 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:39 2008
type=PATH msg=audit(1209679479.813:1255): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.813:1255):  cwd="/root"
type=SYSCALL msg=audit(1209679479.813:1255): arch=c000003e syscall=89 success=no exit=-22 a0=7fff0814a7f0 a1=7fff0814abf0 a2=3ff a3=1 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1256): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1256):  cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1256): arch=c000003e syscall=191 success=no exit=-61 a0=1d6cb910 a1=3872404d67 a2=7fff0814aff0 a3=84 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1258): item=3 name="test.file~" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=2 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=1  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1258):  cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1258): arch=c000003e syscall=82 success=yes exit=0 a0=1d6cb910 a1=1d6f6d80 a2=2 a3=1 items=4 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1260): item=1 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1260): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1260):  cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1260): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=241 a2=1a4 a3=0 items=2 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:45 2008
type=PATH msg=audit(1209679485.996:1261): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.996:1261):  cwd="/root"
type=SYSCALL msg=audit(1209679485.996:1261): arch=c000003e syscall=90 success=yes exit=0 a0=1d6cb910 a1=81a4 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May  1 15:04:45 2008
type=PATH msg=audit(1209679485.997:1262): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.997:1262):  cwd="/root"
type=SYSCALL msg=audit(1209679485.997:1262): arch=c000003e syscall=188 success=yes exit=0 a0=1d6cb910 a1=3872404d67 a2=1d6f6da0 a3=1c items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"

Also aureport will give us a report of activity:

Summary Report
======================
Range of time in logs: 05/01/2008 15:04:33.817 – 05/01/2008 15:04:45.997
Selected time for report: 05/01/2008 15:04:33 – 05/01/2008 15:04:45.997
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 1
Number of host names: 0
Number of executables: 2
Number of files: 3
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 4
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 2
Number of events: 9

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.