Manage the auditd system, create rules and define its behaviour. For an extensive guide on how to setup system auditing please refer to the official Red Hat System Auditing Guide.
The linux auditing daemon supports a wide variety of different rules. These can be grouped into the following rule classes.
These rules allow to modify the audit system's behavior and some of its configs.
# set the max amount of audit buffer in the kernel
$ auditctl -b 8192
# set the action that is performed when an error is detected. 2=kernelpanic
$ auditctl -f 2
# enable/disable the audit system or lock the configuration. 2=lock
$ auditctl -e 2
# set the rate of generated messages per second. 0=nolimit
$ auditctl -r 0
# report the status of the audit system
$ auditctl -s
# list all currently loaded audit rules
$ auditctl -l
# delete all rules currently loaded by the audit system
$ auditctl -D
These rules allow the logging of system calls that any specified program generates.
$ auditctl -a action,filter -s system_call -F field=value -k comment
action
andfilter
specify when a certain event is logged.action
can be eitheralways
ornever
filter
can be one of the following:task
,exit
,user
,exclude
system_call
specifies the system call by its name- see
/usr/include/asm/unistd_64.h
for a list of all possible syscalls.
- see
field=value
specifies additional options that further modify the rule to match events based on a specified architecture, group, id, pid.- see
man 8 auditctl
for a complete list
- see
comment
is an optional string that helps identify which rule or set of rules generated a particular log entry.
$ auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
- Create a log entry each time
adjtimex
orsettimeofday
sys calls are used by a program, on a 64bit architecture.
$ auditctl -a always,exit -S unlink -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
- Defines a rule that creates a log entry every time a file is deleted or renamed by a user whose id is 1000 or larger.
- The option
-F auid!=4294967295
is used to exclude users whose login uid is not set.
Also known as file watches, these rules allow the auditing of accesses to a file or directory from any program.
$ auditctl -w path_to_file -p permissions -k comment
path_to_file
is the file or directory that is auditedpermissions
are the permissions that are loggedr
- read acces to a file or directoryw
- write acces to a file or directoryx
- execute access to a file or directorya
- change in the file or directories attributes
$ auditctl -w /etc/passwd -p wa -k passwd_changes
- Create a rule that logs each write access or attribute change of /etc/passwd
These rules allow the logging of executables.
$ auditctl -a always,exit -F exe=path_to_exe -k comment
action
andfilter
see above.system_call
see above.comment
see above.path_to_exe
is the absolute path to the executable file.
$ auditctl -a always,exit -F exe=/bin/id -F arch=b64 -S execve -k execute_bin_id
- Create a rule that logs all executions of the /bin/id program.
None.
To define different types of system auditing rules use the following variable/syntax.
auditd_custom_rules:
# define a file system rule
- type: filesystem
file: /etc/passwd
permissions: wa
comment: passwd_changes
# define a system call rule
- type: syscall
action: always,exit
filters:
- arch=b64
syscalls:
- adjtimex
- settimeofday
comment: time_change
# define an executable rule
- type: executable
action: always,exit
filters:
- arch=b64
executable: /bin/id
comment: execution_bin_id
# define general filter rule
- type: global_filter
action: always,exit
filters:
- dir=/opt/application
- perm=wa
All the configurations for the audit daemon are configurable as variables. See defaults/main.yaml
for more details.
None.
---
- name: auditd test play
hosts: all
become: true
vars:
auditd_custom_rules:
- type: filesystem
file: /etc/passwd
permissions: wa
comment: passwd_changes
- type: syscall
action: always,exit
filters:
- arch=b64
syscalls:
- adjtimex
- settimeofday
comment: time_change
- type: executable
action: always,exit
filters:
- arch=b64
executable: /bin/id
comment: execution_bin_id
roles:
- auditd
GPLv3
Aaron Schmocker (aaron@0x29a.ch)