Related Manuals for Linux LINUX ENTERPRISE 10 SP1 - THE LINUX AUDIT
Summary of Contents for Linux LINUX ENTERPRISE 10 SP1 - THE LINUX AUDIT
- Page 1 SUSE Linux Enterprise 10 SP1 www.novell.com The Linux Audit Framework May 08, 2008...
- Page 2 The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell...
-
Page 3: Table Of Contents
Contents About This Guide 1 Understanding Linux Audit Introducing the Components of Linux Audit ....Configuring the Audit Daemon ....Controlling the Audit System Using auditctl . - Page 4 Filtering System Call Arguments ....Managing Audit Event Records Using Keys ....4 Useful Resources A Creating Flow Graphs from the Audit Statistics B Creating Bar Charts from the Audit Statistics...
-
Page 5: About This Guide
About This Guide The Linux audit framework as shipped with this version of SUSE Linux Enterprise provides a CAPP-compliant auditing system that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed and by whom. Providing an audit framework is an important requirement for a CC-CAPP/EAL certi- fication. - Page 6 2 Documentation Updates For the latest version of this documentation, see the SLES 10 SP1 doc Web site [http://www.novell.com/documentation/sles10]. 3 Documentation Conventions The following typographical conventions are used in this manual: •...
- Page 7 • ►amd64 ipf: This paragraph is only relevant for the specified architectures. The arrows mark the beginning and the end of the text block.◄ ►ipseries s390 zseries: This paragraph is only relevant for the specified architec- tures. The arrows mark the beginning and the end of the text block.◄ •...
-
Page 9: Understanding Linux Audit
Instead, Audit is useful for tracking these issues and helps you take additional security measures, like Novell AppArmor, to prevent them. Audit consists of several components, each contributing crucial functionality to the overall framework. - Page 10 Review the Audit Trail Linux audit provides tools that write the audit reports to disk and translate them into human readable format. Review Particular Audit Events Audit provides a utility that allows you to filter the audit reports for certain events of interest.
-
Page 11: Introducing The Components Of Linux Audit
logs to disk. The default configuration is to log a warning to syslog rather than to halt the system. If the system runs out of disk space when logging, the audit system can be config- ured to perform clean shutdown (init 0). The default configuration tells the audit daemon to stop logging when it runs out of disk space. - Page 12 /etc/sysconfig/auditd. How the audit system functions once it is started is controlled by /etc/auditd.conf. For more information about auditd and its configuration, refer to Section 1.2, “Configuring the Audit Daemon” (page 5). auditctl The auditctl utility controls the audit system. It controls the log generation param- eters and kernel settings of the audit interface as well as the rule sets that determine which events are tracked.
-
Page 13: Configuring The Audit Daemon
1.2 Configuring the Audit Daemon Before you can actually start generating audit logs and process them, configure the audit daemon itself. Configure how it is started in the /etc/sysconfig/auditd configuration file and configure how the audit system functions once the daemon has been started in /etc/auditd.conf. - Page 14 Depending on whether you want your environment to satisfy the requirements of CAPP, you need to be extra restrictive when configuring the audit daemon. Where you need to use particular settings to meet the CAPP requirements, a “CAPP Environment” note tells you how to adjust the configuration.
- Page 15 NOTE: CAPP Environment In a CAPP environment, make sure that the audit trail is always fully up to date and complete. Therefore, use sync or data with the flush param- eter. num_logs Specify the number of log files to keep if you have given rotate as the max_log_file_action.
- Page 16 also triggers log rotation, but does not use the num_log setting, so always keeps all logs. NOTE: CAPP Environment To keep a complete audit trail in CAPP environments, the keep_logs option should be used. If using a separate partition to hold your audit logs, adjust max_log_file and max_log_file_action to use the entire space available on that partition.
- Page 17 and the administrator has one last chance to react to this alert and free disk space for the audit logs. The value of admin_space_left should be lower than the value for space_left. The values for admin_space_left_action are the same as for space_left_action. NOTE: CAPP Environment Set admin_space_left to a value that would just allow the administra- tor's actions to be recorded.
-
Page 18: Controlling The Audit System Using Auditctl
1.3 Controlling the Audit System Using auditctl auditctl is responsible for controlling the status and some basic system parameters of the audit daemon. It controls the amount of auditing performed on the system. Using audit rules, auditctl controls which components of your system are subjected to the audit and to what extent they are audited. -
Page 19: Passing Parameters To The Audit System
Table 1.1 Audit Status Flags Flag Meaning [Possible Values] Command Set the enable flag. [0|1] enabled auditctl -e [0|1] Set the failure flag. [0..2] 0=silent, flag auditctl -f 1=printk, 2=panic (immediate halt without [0|1|2] syncing pending data to disk) Process ID under which auditd is running. —... - Page 20 these rules would expand to a separate auditctl command. The syntax used in the rules file is the same as that used for the auditctl command. Changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts.
- Page 21 Example 1.3 Example Audit Rules—File System Auditing -w /etc/shadow -w /etc -p rx -w /etc/passwd -k fk_passwd -p rwxa The -w option tells audit to add a watch to the file specified, in this case /etc/ shadow. All system calls requesting access permissions to this file are analyzed. This rule adds a watch to the /etc directory and applies permission filtering for read and execute access to this directory (-p wx).
- Page 22 add an audit context to this system call when entering it and write out a report as soon as the call exits. This rule adds an audit context to the IPC multiplexed system call. The specific ipc system call is passed as the first syscall argument and can be selected using -F a0=ipc_call_number.
-
Page 23: Understanding The Audit Logs And Generating Reports
-D command is also used before doing an autrace to avoid having the trace rules clash with any rules present in the audit.rules file. This rule deletes a system call rule. The -d option must precede any system call rule that should be deleted from the rule queue and must match exactly. This rule tells audit to discard the rule with the directory watch on /etc from the rules queue. - Page 24 1.5.1 Understanding the Audit Logs The following examples highlight two typical events that are logged by audit and how their trails in the audit log are read. The audit log or logs (if log rotation is enabled) are stored in the /var/log/audit directory. The first example is a simple less com- mand.
- Page 25 arch References the CPU architecture of the system call. Decode this information using the -i option on any of your ausearch commands when searching the logs. syscall The type of system call as it would have been printed by an strace on this particular system call.
- Page 26 auid The audit ID. A process is given an audit ID on user login. This ID is then handed down to any child process started by the initial process of the user. Even if the user changes his identity (for example, becomes root), the audit ID stays the same. Thus you can always trace actions to the original user who logged in.
- Page 27 The second message triggered by the example less call does not reveal anything apart from just the current working directory when the less command was executed. The third message reveals the following (the type and message flags have already been introduced): item In this example, item references the a0 argument—a path—that is associated with the original SYSCALL message.
- Page 28 Example 1.8 An Advanced Audit Event—Login via SSH type=USER_AUTH msg=audit(1175508928.540:4499): user pid=28731 uid=0 auid=0 msg='PAM: authentication acct=root : exe="/usr/sbin/sshd" (hostname=earth.example.com, addr=192.168.0.1, terminal=ssh res=success)' type=USER_ACCT msg=audit(1175508928.540:4500): user pid=28731 uid=0 auid=0 msg='PAM: accounting acct=root : exe="/usr/sbin/sshd" (hostname=earth.example.com, addr=192.168.0.1, terminal=ssh res=success)' type=CRED_ACQ msg=audit(1175508928.544:4501): user pid=28729 uid=0 auid=0 msg='PAM: setcred acct=root : exe="/usr/sbin/sshd"...
- Page 29 read through thousands of other events before you spot the one that you want. To avoid this, use the aureport utility and create custom reports. The following use cases highlight just a few of the possible report types that you can generate with aureport: Read Audit Logs from Another File When the audit logs have moved to another machine or when you want to analyze...
- Page 30 Convert Numeric Entities to Text Some information, such as user IDs, are printed in numeric form. To convert these into a human-readable text format, add the -i option to your aureport command. Create a Rough Summary Report If you are just interested in the current audit statistics (events, logins, processes, etc.), run aureport without any other option: aureport Summary Report...
- Page 31 Number of MAC events: 0 Number of failed syscalls: 4 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 21 Number of events: 32 Create a Summary Report of Successful Events If you want to break down the overall statistics of a plain aureport to the statistics of successful events, use aureport --success: aureport --success...
- Page 32 Create a Report of Events To get an overview of the events logged by audit, use the aureport -e command. This command generates a numbered list of all events including date, time, event number, event type, and audit ID. aureport -e Event Report =========================== # date time event type auid...
- Page 33 Create a Report from All Executable Events To analyze the audit log from an executable's point of view, use the aureport -x command. This command generates a numbered list of all executable events including date, time, name of the executable, the terminal it is run in, the host exe- cuting it, the audit ID, and event number.
- Page 34 1. 04/23/2007 08:00:01 PM unset cron ? /usr/sbin/cron 1888 2. 04/23/2007 08:00:01 PM unset cron ? /usr/sbin/cron 1889 3. 04/23/2007 08:00:01 PM root ? ? ? 1890 4. 04/23/2007 08:00:01 PM root cron ? /usr/sbin/cron 1891 5. 04/23/2007 08:00:01 PM root cron ? /usr/sbin/cron 1892 6.
-
Page 35: Querying The Audit Daemon Logs With Ausearch
============================================ # date time auid host term exe success event ============================================ 1. 04/23/2007 12:38:38 PM root earth.example.com /dev/pts/0 /usr/sbin/sshd yes 1624 2. 04/23/2007 01:38:12 PM root earth.example.com /dev/pts/1 /usr/sbin/sshd yes 1655 3. 04/23/2007 03:32:58 PM root sun.example.com /dev/pts/0 /usr/sbin/sshd yes 1712 The start date and time are specified with the -ts option. - Page 36 you would always get a PATH record along with the SYSCALL record for an open system call. TIP: Using Multiple Search Options Any of the command line options can be combined with logical AND operators to narrow down your search. Read Audit Logs from Another File When the audit logs have moved to another machine or when you want to analyze the logs of a number of machines on your local machine without wanting to connect...
- Page 37 success=yes exit=4 a0=80624a0 a1=18800 a2=0 a3=80624a0 items=1 ppid=29163 pid=29433 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="aureport" exe="/sbin/aureport" subj=unconstrained key="LOG_audit" The ausearch -a command grabs all records in the logs that are related to the audit event ID provided and displays them. This option cannot be combined with any other option.
- Page 38 Search by Executable Name View records related to a certain executable with the ausearch -x exe com- mand, for example ausearch -x /usr/bin/less for all records related to the /usr/bin/less executable. Search by System Call Name View records related to a certain system call with the ausearch -sc syscall command, for example, ausearch -sc open for all records related to the open system call.
-
Page 39: Analyzing Processes With Autrace
Search by Key Field View records that contain a certain key assigned in the audit rule set to identify events of a particular type. Use the ausearch -k key_field, for example, ausearch -k CFG_etc to display any records containing the CFG_etc key. Limit a Search to a Certain Time Frame Use -ts and -te to limit the scope of your searches to a certain time frame. -
Page 40: Visualizing Audit Data
1.8 Visualizing Audit Data Neither the data trail in /var/log/audit/audit.log nor the different report types generated by aureport, described in Section 1.5.2, “Generating Custom Audit Reports” (page 20), provide an intuitive reading experience to the user. The aureport output is formatted in columns and thus easily available to any sed, perl, or awk scripts that users might connect to the audit framework to visualize the audit data. - Page 41 stamps. To avoid having this confuse your scripts, precede your script calls with LC_ALL=C to reset the locale and use the 24 hour time format. Figure 1.2 Flow Graph—Program versus System Call Relationship The second example illustrates the different types of events and how many of each type have been logged.
- Page 42 Figure 1.3 Bar Chart—Common Event Types For background information about the visualization of audit data, refer to the Web site of the audit project at http://people.redhat.com/sgrubb/audit/ visualize/index.html. The Linux Audit Framework...
-
Page 43: Setting Up The Linux Audit Framework
Setting Up the Linux Audit Framework This chapter shows how to set up a simple audit scenario. Every step involved in con- figuring and enabling audit is explained in detail. After you have learned to set up audit, consider a real-world example scenario in Chapter 3, Introducing an Audit Rule Set (page 47). -
Page 44: Determining The Components To Audit
6 Change your PAM configuration to enable audit IDs. Section 2.5, “Adjusting the PAM Configuration” (page 40). 7 Generate logs and configure tailor-made reports. Refer to Section 2.6, “Config- uring Audit Reports” (page 41) for details. 8 Configure optional log visualization. Refer to Section 2.7, “Configuring Log Visualization”... -
Page 45: Configuring The Audit Daemon
2.2 Configuring the Audit Daemon The basic setup of the audit daemon is done in /etc/auditd.conf: log_file = /var/log/audit/audit.log log_format = RAW priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 dispatcher = /usr/sbin/audispd disp_qos = lossy max_log_file = 5 max_log_file_action = ROTATE space_left = 75... -
Page 46: Enabling Audit For System Calls
However, other kernel components and modules may log audit events outside of the control of auditctl and these appear in the audit log. By default, the only module that generates audit events is Novell AppArmor. Advanced Logging with System Call Auditing To audit system calls and get meaningful file watches, you need to enable audit contexts for system calls. -
Page 47: Setting Up Audit Rules
2.4 Setting Up Audit Rules Using audit rules, determine which aspects of the system should be analyzed by audit. Normally this includes important databases and security-relevant configuration files. You may also analyze various system calls in detail if a broad analysis of your system is required. -
Page 48: Adjusting The Pam Configuration
ments and use -f 1 (system continues to run, issues a warning and audit stops) for any other setup to avoid loss of data or data corruption. Directory watches produce less verbose output than separate file watches for the files under these directories. -
Page 49: Configuring Audit Reports
To adjust the PAM configuration to enable audit IDs, proceed as follows: 1 Log in as root. 2 Open the PAM configuration file for the application—/etc/pam .d/application— and add the following line before the common-session line: session required pam_loginuid.so session include common-session 3 Apply your changes and close the configuration file. - Page 50 For this example, assume that you are interested in finding out about any attempts to access your audit, PAM, and system configuration. Proceed as follows to find out about file events on your system: 1 Generate a full summary report of all events and check for any anomalies in the summary report, for example, have a look at the “failed syscalls”...
- Page 51 Number of MAC events: 0 Number of failed syscalls: 799 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 40 Number of events: 841 3 To list the files that could not be accessed, run a summary report of failed file events: aureport -f -i --failed --summary Failed File Summary Report...
-
Page 52: Configuring Log Visualization
68. 04/27/2007 04:45:00 PM /etc/sysconfig/displaymanager getxattr no /bin/vim root 1451 5 Use the event ID to get a detailed record for each item of interest: ausearch -a 1451 -i type=PATH msg=audit(04/27/2007 16:45:00.736:1451) : item=0 name=/etc/sysconfig/displaymanager inode=440645 dev=03:01 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(04/27/2007 16:45:00.736:1451) : cwd=/root type=SYSCALL msg=audit(04/27/2007 16:45:00.736:1451) : arch=i386... - Page 53 To plot summary reports, such as the ones discussed in Section 2.6, “Configuring Audit Reports” (page 41), use the script introduced in Appendix B, Creating Bar Charts from the Audit Statistics (page 65). Some example commands could look like the following: Create a Summary of Events aureport -e -i --summary | ./mkbar events Create a Summary of File Events...
- Page 54 $4, $7 }' | sort | uniq | ./mkgraph Users versus Files LC_ALL=C aureport -f -i | awk '/^[0-9]/ { printf "%s %s\n", $8, $4 }' | sort | uniq | ./mkgraph System Calls versus Commands LC_ALL=C aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $6 }' | sort | uniq | ./mkgraph System Calls versus Files LC_ALL=C aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n",...
-
Page 55: Introducing An Audit Rule Set
Introducing an Audit Rule Set The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP). The example rule set is divided into the following sections: •... -
Page 56: Adding Basic Audit Configuration Parameters
2 Save all examples to one single file called /etc/audit.rules. 3 Adjust the file permissions to make sure that the rules file is owned by root and by the root group and its permissions are set to read-write for root and read-only for the group and access is denied to any other user or group. -
Page 57: Adding Watches On Audit Log Files And Configuration Files
IMPORTANT: Choosing the Failure Flag Before using your audit rule set on a live system, make sure that the setup has been thoroughly evaluated on test systems using the worst case production workload. It is even more critical that you do this when specifying the -f 2 flag, because this instructs the kernel to panic (perform an immediate halt without flushing pending data to disk) if any thresholds are exceeded. -
Page 58: Monitoring File System Objects
Set a watch on the directory where the audit log is located. Trigger an event for any type of access attempt to this directory. If you are using log rotation, add watches for the rotated logs as well. Set a watch on an audit configuration file. Log all write and attribute change at- tempts to this file. -
Page 59: Monitoring Security Configuration Files And Databases
-a entry,always -S mount -S umount -S umount2 Enable an audit context for system calls related to changing file ownership and permissions. Depending on the hardware architecture of your system, enable or disable the *32 rules. 64-bit systems, like x86_64 and ia64, require the *32 rules to be removed. - Page 60 The same applies to any other configuration files related to secure authentication and communication. -w /var/spool/at -w /etc/at.allow -w /etc/at.deny -w /etc/cron.allow -p wa -w /etc/cron.deny -p wa -w /etc/cron.d/ -p wa -w /etc/cron.daily/ -p wa -w /etc/cron.hourly/ -p wa -w /etc/cron.monthly/ -p wa -w /etc/cron.weekly/ -p wa -w /etc/crontab -p wa...
- Page 61 -w /etc/postfix/ -p wa -w /etc/ssh/sshd_config -w /etc/stunnel/stunnel.conf -w /etc/stunnel/stunnel.pem -w /etc/vsftpd.ftpusers -w /etc/vsftpd/vsftpd.conf -a exit,always -S sethostname -w /etc/issue -p wa -w /etc/issue.net -p wa Set watches on the at and cron configuration and the scheduled jobs and assign labels to these events.
-
Page 62: Monitoring Miscellaneous System Calls
3.5 Monitoring Miscellaneous System Calls As well as auditing file system related system calls, as described in Section 3.3, “Monitoring File System Objects” (page 50), you can also track various other system calls. Tracking task creation helps you understand your applications' behavior. Auditing the umask system call lets you track how processes modify permissions. - Page 63 IMPORTANT: Auditing System Calls Auditing system calls results in a high logging activity, which in turn puts a heavy load on the kernel. With a kernel less responsive than usual, the system's backlog and rate limits might well be exceeded. Carefully evaluate which system calls to include in your audit rule set and adjust the log settings accordingly.
- Page 64 Audit the socket(PF_INET6) system call. The -F a0=1 filter matches all socket system calls and the -F a1=10 filter narrows the matches down to socket system calls carrying the IPv6 protocol family domain parameter (PF_INET6). Check /usr/include/linux/net.h for the first argument (a0) and /usr/ include/linux/socket.h for the second parameter (a1).
-
Page 65: Managing Audit Event Records Using Keys
Audit system calls related to IPC SYSV message queues. In this case, the a0 values specify that auditing is added for the msgctl and msgget system calls (14 and 13). 64-bit platforms, like x86_64 and ia64, do not use multiplexing on ipc system calls. - Page 66 -w /etc/audit.rules -p wa -k CFG_audit.rules You can specify any text string as key. Distinguish watches related to different types of files (configuration files or log files) from one another using different key prefixes (CFG, LOG, etc.) followed by the filename. Finding any records related to the above rule now comes down to the following: ausearch -k CFG_audit.rules time->Thu Apr 26 14:56:25 2007...
-
Page 67: Useful Resources
Useful Resources There are other resources available containing valuable information about the Linux audit framework: The Audit Manual Pages There are several man pages installed along with the audit tools that provide valuable and very detailed information: • auditd(8) • auditd.conf(8) •... - Page 68 http://www.commoncriteriaportal.org/ The official Web site of the Common Criteria project. Learn all about the Common Criteria security certification initiative and which role audit plays in this framework. The Linux Audit Framework...
- Page 69 Creating Flow Graphs from the Audit Statistics The following script to convert aureport audit statistics into flow graphs was created by Steve Grubb at Red Hat. It is available from http://people.redhat.com/ sgrubb/audit/visualize/mkgraph. Because the current version of audit in SUSE Linux Enterprise does not ship with this script, proceed as follows to make it available on your system: 1 Download the script from http://people.redhat.com/sgrubb/...
- Page 70 # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to the # Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # Author: Steve Grubb <sgrubb@redhat.com> ######## # This program will take stdin and produce a graph for it.
- Page 71 echo "graphviz is not installed. Exiting." exit 1 echo "digraph G {" > $DOT_FILE # Some options you may want to set #echo -e "\torientation=landscape" >> $DOT_FILE #echo -e "\tsize=\"60,18\"" >> $DOT_FILE #echo -e "\tranksep=\"1.25\"" >> $DOT_FILE #echo -e "\tratio=fill" >> $DOT_FILE #echo -e "\tpage=\"8.5,11\";"...
- Page 73 Creating Bar Charts from the Audit Statistics The following script to convert aureport audit statistics into bar charts was created by Steve Grubb at Red Hat. It is available from http://people.redhat.com/ sgrubb/audit/visualize/mkbar. Because the current version of audit in SUSE Linux Enterprise does not ship with this script, proceed as follows to make it available on your system: 1 Download the script from http://people.redhat.com/sgrubb/...
- Page 74 # along with this program; see the file COPYING. If not, write to the # Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # Author: Steve Grubb <sgrubb@redhat.com> ####### # This program will take data returned by aureport suumaries and # produce a bar chart of it.
- Page 75 echo -n "set xtics rotate (\"-1\" -1" >> $gpcommand # make sure we don't append to pre-existing file rm -f $gpdata # read input while [ 1 ] read -t 5 line 2>/dev/null if [ $? -ne 0 ] ; then break if [ x"$line"...