You are currently viewing Linux System Auditing: Enhancing Security and Compliance

Linux System Auditing: Enhancing Security and Compliance

  • Post author:
  • Post category:RedHat

In this blog, we will delve into Linux system auditing, covering essential concepts, configurations, and management techniques. By the end, you’ll be well-equipped to implement a robust auditing system that helps monitor file access, system calls, commands, and network activities on your Linux servers.

Linux Auditing Fundamentals

Log entries/var/log/audit/audit.log
Rotated log enteries/var/log/audit

Auditing is indispensable for compliance with security standards and regulations, making it a cornerstone of system administration.
Use Cases: Monitoring file access, tracking system calls, logging executed comands, observing network access etc.

To perform Linux system auditing, you need to use tools and commands that can collect and analyze system data. Some of the common tools and commands are:

  • auditd: A daemon that runs in the background and records system events to a log file.
  • ausearch: A command that can query the audit log file for specific criteria.
  • aureport: A command that can generate summary reports of the audit log file.
  • auditctl: A command that can configure the audit subsystem and control the auditd daemon.
  • audit.rules: A file that contains the rules for auditing system events.

Installing the Audit sytstem

yum install audit

Configuring the Audit Service

Once the audit system is installed, you can configure it through the /etc/audit/auditd.conf file. Key options to set include:

  • log_file: Specifies where audit logs are stored.
  • max_log_file: Defines the maximum log file size (in MB).
  • num_logs: Determines the number of log files to keep.
  • max_log_file_action: Specifies whether to keep or rotate log files.
  • space_left: Sets the volume of free space required to trigger an action.
  • space_left_action: Specifies the action to take when space runs low.
  • action_mail_acct: Defines the email account to be used for notifications.

Managind the Audit Service

#manual start
service auditd start 
#Configure start at boot
systemctl enable auditd 
#configure to rotate
servie auditd rotate

Defining Audit Rules and Controls

Linux auditing relies on rules to capture specific events. Here are ways to define these rules:

Non-Persistent Rules:

Use auditctl to log file access based on paths, permissions, and keywords.

File System Rules

auditclt -w path_to_file -p permissions -k key_name
#example
auditctl -w /etc/passwd -p wa -k passd_changes

System Call Rules

auditctl -a action,fileter -S system_call -F arch=b64 filed=value -k key_name
#Scenario : Log every time adjttimex or settimeofday system calls are used:
auditctl -a always, eit -F arch=b64 -S adjtimex -S settimeofday -k time_change
#Log every time a file is written to or attributes changed by a specific group and exclude individual user. 
auditctl -a always,exit -F path=/file.txt -F perm=wa -F group=helpdeks -F user!=john

Creating Persistent Rules

persistent rules are documented in /etc/audit/audit.rules. They are loaded at system startup and define which events to log.

#Log write access to /etc/passwd and attrib changes
	-w /etc/passwd -p wa -k passwd_changes
#log write and attribute chages to file.txt
	-a always,exit -F path:/file.txt -F perm=wa -F group=helpdesk -F user!=john

Fix nois service filling up your logs, eg. below we are silencing crond’s audit event:

-a never, user -F subj_type=crond_t
-a never, exit -F subj_type=crond_t

Creating Audit Reports

Use the aureport utility to generate audit reports based on logs in /var/log/audit. Various options allow you to query and summarize audit data.

Example below, quries all files in /var/log/audit to create report:

aureport  --start 11/7/2023 00:00:00 --end 11/15/2023 00:00:00
aureport -x
aureport -x --summary

Preconfigured Rule Sets

Linux systems come with preconfigured rule sets for specific compliance requirements. You can apply these rules to enhance system security.

/usr/share/doc/audit-version/rules : locaton of preconfigured rules when you instal audit rules:

  • nsipom.rules
  • capp.rules
  • stig.rules

Put preconfigured rules sets into play:

#make a copy of /etc/audit/rules.d/audit.rules 
cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules_backup
#copy the rules into audit.rules file:
cp /usr/share/doc/audit-version/rules/30-nispom.rule /etc/audit/audit.rules

Configuring Audit Settings for STIG Compliance on RedHat

The Red Hat Linux audit service comes with precompiled rule sets for various compliance requirements. In this lab, we will configure a Red Hat host’s audit rules to include the STIG (Security Technical Implementation Guide) compliance rule set. This will allow us to identify any points at which we are not compliant with STIG requirement.

Implement the Red Hat included STIG audit rules

#Make a backup of the current audit rules using the following command:
 cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules_backup
#Copy the STIG audit rules into the audit.rules file with the following command:
 cd /usr/share/doc/audit-2.8.1/rules
 cat 30-stig.rules 99-finalize.rules >> /etc/audit/rules.d/audit. Rules
#To restart the auditd service, use the following command:
 service auditd restart  
#Run the following command to verify the status is active (running):
 service auditd status
Make sure there is only one -D rule in the audit.rules file or previous rules will be deleted.
Tags: ,