Auditd rules - Seamus Murray's Notes about Linux and System Engineering

Using auuditd and aureport on RHEL to track whats going on.

Generate list of SUID programs

for SUID_BIN in `find / -xdev \( -perm -4000 \) -type f -print`
do AUDIT_CMD="auditctl -A exit,always -F  path="
AUDIT_PERM="-pxwra"
KEY=`echo $SUID_BIN | awk  -F\/ '{  print "-k key-suid-"$NF }'`
echo $AUDIT_CMD$SUID_BIN" "$AUDIT_PERM $KEY 
done

Backup the existing audit rules

cd /etc/audit/
cp audit.rules audit.rules.orig &&  vi audit.rules

Sample audit rules

#Attempts to perform unauthorised functions
#-a exit,always  -F arch=b64 -F success!=0 -S open -k key-fopen-failure

#Additions, deletions and modifications to security/audit log parameters

#-a exit,always -F dir=/var/log -F perm=wa -k key-writes-access-var-log

#Critical file changes
#Activity performed by privileged accounts Modifications to system settings (parameters)
-w /etc/ -p w -k key-file-change-etc


#The authority and access to use advanced operating system utilities and commands that bypass system access controls must be monitored, logged, reviewed and restricted to those individuals who require access to perform their job functions.
auditctl -A exit,always -F path=/opt/google/chrome/chrome-sandbox -pxwra -k key-suid-chrome-sandbox
auditctl -A exit,always -F path=/usr/sbin/pppd -pxwra -k key-suid-pppd
auditctl -A exit,always -F path=/usr/sbin/uuidd -pxwra -k key-suid-uuidd
auditctl -A exit,always -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -pxwra -k key-suid-dbus-daemon-launch-helper
auditctl -A exit,always -F path=/usr/lib/virtualbox/VBoxSDL -pxwra -k key-suid-VBoxSDL
auditctl -A exit,always -F path=/usr/lib/virtualbox/VBoxNetAdpCtl -pxwra -k key-suid-VBoxNetAdpCtl
auditctl -A exit,always -F path=/usr/lib/virtualbox/VirtualBox -pxwra -k key-suid-VirtualBox
auditctl -A exit,always -F path=/usr/lib/virtualbox/VBoxHeadless -pxwra -k key-suid-VBoxHeadless
auditctl -A exit,always -F path=/usr/lib/virtualbox/VBoxNetDHCP -pxwra -k key-suid-VBoxNetDHCP
auditctl -A exit,always -F path=/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox -pxwra -k key-suid-chrome-sandbox
auditctl -A exit,always -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -pxwra -k key-suid-polkit-agent-helper-1
auditctl -A exit,always -F path=/usr/lib/eject/dmcrypt-get-device -pxwra -k key-suid-dmcrypt-get-device
auditctl -A exit,always -F path=/usr/lib/pt_chown -pxwra -k key-suid-pt_chown
auditctl -A exit,always -F path=/usr/lib/openssh/ssh-keysign -pxwra -k key-suid-ssh-keysign
auditctl -A exit,always -F path=/usr/bin/traceroute6.iputils -pxwra -k key-suid-traceroute6.iputils
auditctl -A exit,always -F path=/usr/bin/chfn -pxwra -k key-suid-chfn
auditctl -A exit,always -F path=/usr/bin/pkexec -pxwra -k key-suid-pkexec
auditctl -A exit,always -F path=/usr/bin/passwd -pxwra -k key-suid-passwd
auditctl -A exit,always -F path=/usr/bin/X -pxwra -k key-suid-X
auditctl -A exit,always -F path=/usr/bin/fping -pxwra -k key-suid-fping
auditctl -A exit,always -F path=/usr/bin/chsh -pxwra -k key-suid-chsh
auditctl -A exit,always -F path=/usr/bin/fping6 -pxwra -k key-suid-fping6
auditctl -A exit,always -F path=/usr/bin/mtr -pxwra -k key-suid-mtr
auditctl -A exit,always -F path=/usr/bin/gpasswd -pxwra -k key-suid-gpasswd
auditctl -A exit,always -F path=/usr/bin/sudo -pxwra -k key-suid-sudo
auditctl -A exit,always -F path=/usr/bin/lppasswd -pxwra -k key-suid-lppasswd
auditctl -A exit,always -F path=/usr/bin/newgrp -pxwra -k key-suid-newgrp
auditctl -A exit,always -F path=/home/guess/.pia_manager/openvpn_launcher.64 -pxwra -k key-suid-openvpn_launcher.64
auditctl -A exit,always -F path=/home/guess/.pia_manager/openvpn_launcher.32 -pxwra -k key-suid-openvpn_launcher.32
auditctl -A exit,always -F path=/bin/mount -pxwra -k key-suid-mount
auditctl -A exit,always -F path=/bin/ping6 -pxwra -k key-suid-ping6
auditctl -A exit,always -F path=/bin/fusermount -pxwra -k key-suid-fusermount
auditctl -A exit,always -F path=/bin/umount -pxwra -k key-suid-umount
auditctl -A exit,always -F path=/bin/su -pxwra -k key-suid-su
auditctl -A exit,always -F path=/bin/ping -pxwra -k key-suid-ping

restart the auditd daemon

service auditd restart

tail -f /var/log/audit/audit.log

some extra audit rules to monitor changes to the file system. Warning these will be very noisy on a busy system

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F path=/bin/chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

(host=example1np OR host=example2np) source="/var/log/audit/audit.log" index="os_secure"
host=example1np  source="/var/log/audit/audit.log" index="os_secure"

retrieving info from the audit system

aureport

Summary Report
======================
Range of time in logs: 5/08/2015 15:52:22 - 5/08/2015 18:43:12
Selected time for report: 5/08/2015 15:52:22 - 5/08/2015 18:43:12
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 17
Number of failed authentications: 0
Number of users: 2
Number of terminals: 2
Number of host names: 2
Number of executables: 25
Number of files: 28649
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 512
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 39
Number of keys: 5
Number of process IDs: 1234
Number of events: 23455

defining a time range

aureport  -ts 12/06/2013 09:00:09.082 -te 12/06/2013 10:21:27.308