• Tag Archives auditd
  • Audit a file on rhel5 with auditd

    Obviously you would need the audit package installed…

    Lets say I wanted to audit "test.file" for read, write, execute, and access:

    auditctl -w /root/test.file -k test-file -p rwxa

    -w: adds the "watch" rule
    -k: is the key that you can use to filter the audit logs on
    -p: is the permissions that you would like to audit

    If you would like this to be a permanent rule .. then you must add it to /etc/audit/audit.rules in  the following format:

    -w /root/test.file -k test-file -p rwxa

    Now we can take a look at the rules:

    auditctl -l

    LIST_RULES: exit,always watch=/root/test.file perm=rwxa key=test-file

    Now i am going to add some text to test.file and see what the audit says.. I run the ausearch tool to find this out:

    ausearch -k test-file
    or
    ausearch -f test.file

    Here are the results:

    —-
    time->Thu May  1 15:04:33 2008
    type=PATH msg=audit(1209679473.817:1252): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679473.817:1252):  cwd="/root"
    type=SYSCALL msg=audit(1209679473.817:1252): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d67 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
    —-
    time->Thu May  1 15:04:33 2008
    type=PATH msg=audit(1209679473.817:1253): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679473.817:1253):  cwd="/root"
    type=SYSCALL msg=audit(1209679473.817:1253): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d38 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
    —-
    time->Thu May  1 15:04:39 2008
    type=PATH msg=audit(1209679479.812:1254): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679479.812:1254):  cwd="/root"
    type=SYSCALL msg=audit(1209679479.812:1254): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=0 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:39 2008
    type=PATH msg=audit(1209679479.813:1255): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679479.813:1255):  cwd="/root"
    type=SYSCALL msg=audit(1209679479.813:1255): arch=c000003e syscall=89 success=no exit=-22 a0=7fff0814a7f0 a1=7fff0814abf0 a2=3ff a3=1 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1256): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1256):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1256): arch=c000003e syscall=191 success=no exit=-61 a0=1d6cb910 a1=3872404d67 a2=7fff0814aff0 a3=84 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1258): item=3 name="test.file~" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=2 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=1  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1258):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1258): arch=c000003e syscall=82 success=yes exit=0 a0=1d6cb910 a1=1d6f6d80 a2=2 a3=1 items=4 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1260): item=1 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1260): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1260):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1260): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=241 a2=1a4 a3=0 items=2 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.996:1261): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.996:1261):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.996:1261): arch=c000003e syscall=90 success=yes exit=0 a0=1d6cb910 a1=81a4 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.997:1262): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.997:1262):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.997:1262): arch=c000003e syscall=188 success=yes exit=0 a0=1d6cb910 a1=3872404d67 a2=1d6f6da0 a3=1c items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"

    Also aureport will give us a report of activity:

    Summary Report
    ======================
    Range of time in logs: 05/01/2008 15:04:33.817 – 05/01/2008 15:04:45.997
    Selected time for report: 05/01/2008 15:04:33 – 05/01/2008 15:04:45.997
    Number of changes in configuration: 0
    Number of changes to accounts, groups, or roles: 0
    Number of logins: 0
    Number of failed logins: 0
    Number of authentications: 0
    Number of failed authentications: 0
    Number of users: 1
    Number of terminals: 1
    Number of host names: 0
    Number of executables: 2
    Number of files: 3
    Number of AVC’s: 0
    Number of MAC events: 0
    Number of failed syscalls: 4
    Number of anomaly events: 0
    Number of responses to anomaly events: 0
    Number of crypto events: 0
    Number of process IDs: 2
    Number of events: 9