Defining Audit Rules

The Audit system operates on a set of rules that define what is to be captured in the log files. There are three types of Audit rules that can be specified:
  • Control rules — allow the Audit system's behavior and some of its configuration to be modified.
  • File system rules — also known as file watches, allow the auditing of access to a particular file or a directory.
  • System call rules — allow logging of system calls that any specified program makes. 
    Audit rules can be specified on the command line with the auditctl utility (note that these rules are not persistent across reboots), or written in the /etc/audit/audit.rules file. The following two sections summarize both approaches to defining Audit rules.  

    Auditing goals

    By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:
    • Audit file access and modification
      • See who changed a particular file
      • Detect unauthorized changes
    • Monitoring of system calls and functions
    • Detect anomalies like crashing processes
    • Set tripwires for intrusion detection purposes
    • Record commands used by individual users

    Defining Audit Rules with the auditctl Utility:

     Note: All commands which interact with the Audit service and the Audit log files require root privileges. Ensure you execute these commands as the root user. 

    Defining Control Rules:

    The following are some of the control rules that allow you to modify the behavior of the Audit system:
         -b
       sets the maximum amount of existing Audit buffers in the kernel, for example: 
    # auditctl -b 8192
     
         -f
       sets the action that is performed when a critical error is detected, for example: 
    # auditctl -f 2 
     The above configuration triggers a kernel panic in case of a critical error. 
    -e
        enables and disables the Audit system or locks its configuration, for example:
     # auditctl -e 2
       The above command locks the Audit configuration. 
    -r 
       sets the rate of generated messages per second, for example: 
     # auditctl -r 0
       The above configuration sets no rate limit on generated messages. 

    -s 
        reports the status of the Audit system, for example:
      # auditctl -s
     AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0 backlog_limit=8192 lost=259 backlog=0
    -l 
        lists all currently loaded Audit rules, for example: 
    # auditctl -l
    LIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change
    LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
     

    Defining File System Rules:

    To define a file system rule, use the following syntax:  

    # auditctl -w path_to_file -p permissions -k key_name

    where:
    • path_to_file is the file or directory that is audited.
    • permissions are the permissions that are logged:
      • r — read access to a file or a directory.
      • w — write access to a file or a directory.
      • x — execute access to a file or a directory.
      • a — change in the file's or directory's attribute.
    • key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
     

    Preconfigured Rules Files:

    In the /usr/share/doc/audit-version/ directory, the audit package provides a set of pre-configured rules files according to various certification standards: 

    # vim /etc/audit/audit.rules
     #
    ## This file contains the auditctl rules that are loaded
    ## whenever the audit daemon is started via the initscripts.
    ## The rules are simply the parameters that would be passed
    ## to auditctl.
    ##
    ## First rule - delete all
    -D

    ## Increase the buffers to survive stress events.
    ## Make this bigger for busy systems
    -b 8192

    ## Set failure mode to panic
    -f 2

    ##Record Events That Modify Date and Time Information
    -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
    -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
    -a always,exit -F arch=b64 -S clock_settime  -k time-change
    -a always,exit -F arch=b32 -S clock_settime  -k time-change
    -w /etc/localtime -p wa -k time-change
    ##Record Events That Modify User/Group Information
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity

     ## Things that could affect system locale
    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
    -w /etc/issue -p wa -k system-locale
    -w /etc/issue.net -p wa -k system-locale
    -w /etc/hosts -p wa -k system-locale
    -w /etc/sysconfig/network -p wa -k system-locale

    ## Things that could affect MAC policy
    -w /etc/selinux/ -p wa -k MAC-policy

    ## - Logon (unsuccessful and successful) and logout (successful)
    ##
    ## Handled by pam, sshd, login, and gdm
    ## Might also want to watch these files if needing extra information
    -w /var/log/faillog -p wa -k logins
    -w /var/log/lastlog -p wa -k logins

    ##- Process and session initiation (unsuccessful and successful)
    ##
    ## The session initiation is audited by pam without any rules needed.
    ## Might also want to watch this file if needing extra information
    -w /var/run/utmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
    -w /var/log/btmp -p wa -k session

    ##- Discretionary access control permission modification (unsuccessful
    ## and successful use of chown/chmod)
    -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod


    ##- Unauthorized access attempts to files (unsuccessful)
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

    ##- Files and programs deleted by the user (successful and unsuccessful)
    -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
    -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete


    ##Collect Successful File System Mounts
    -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
    -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

    ##- All system administration actions
    ##- All security personnel actions
    -w /etc/sudoers -p wa -k scope

    ##Collect System Administrator Actions (sudolog)
    -w /var/log/sudo.log -p wa -k actions

    ## Optional - admin may be abusing power by looking in user's home dir
    -a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=


     & finally save it and do

    # /etc/init.d/auditd restart

Comments

Post a Comment

Thank you for visiting my blog.

Popular posts from this blog

AIX Install packages, upgrade, patching commands

lslpp -L                             displays info about all installed filesets or fileset updates lslpp -L <fileset>                   displays info about that fileset lslpp -h <fileset>                   shows the history of the fileset lslpp -l | grep <fileset>           shows if it is installed or not lslpp -lc| grep <fileset>           shows the state (Aplp., Comm., Broken..) in /etc/objrepos and in /usr/lib/objrepos of a fileset lslpp -f <fileset>                   shows all files that are installed with  a particular fileset lslpp -w /usr/local/bin/lsof        shows the fileset which contains the giv...
Read more

Oracle Database Quick Installation steps 11g Release 2 for Linux x86-64

This article is a comprehensive steps for installing Oracle Database 11 g Release 2 (11.2.0.1) on the Red Hat Enterprise Linux 6 (RHEL6)  operating environment. Both 32-bit (x86) and 64-bit (x86_64) architectures are covered in this guide. Unless otherwise noted, the installation steps are the same for either. Having said that, one of the first decisions to make before continuing with this guide is which architecture you will be using. Both Oracle and Linux must be installed on the same operating system architecture. For example, 32-bit Oracle is only supported to run on 32-bit Linux OS and 64-bit Oracle is only supported to run on 64-bit Linux OS. Install Required Linux Packages for Oracle: After installing the Linux OS, the next step is to verify and install all packages required for Oracle Database 11 g Release 2. The Oracle Universal Installer (OUI) performs checks on the machine during installation to verify that it meets the...
Read more