Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
By default, the Audit system stores log entries in the /var/log/audit/audit.log file; if log rotation is enabled, rotated audit.log files are stored in the same directory.
The following Audit rule logs every attempt to read or modify the /etc/ssh/sshd_config file:
-w /etc/ssh/sshd_config -p warx -k sshd_config
If the auditd daemon is running, running the following command creates a new event in the Audit log file:
~]#cat /etc/ssh/sshd_configThis event in the audit.log file looks as follows:
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman"type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
The above event consists of three records (each starting with the type= keyword), which share the same time stamp and serial number. Each record consists of several name=value pairs separated by a white space or a comma. A detailed analysis of the above event follows:
First Record
type=SYSCALLThe
typefield contains the type of the record. In this example, theSYSCALLvalue specifies that this record was triggered by a system call to the kernel.For a list of all possible type values and their explanations, see SectionB.2, “Audit Record Types”.
msg=audit(1364481363.243:24287):The
msgfield records:a time stamp and a unique ID of the record in the form
audit(time_stamp:ID). Multiple records can share the same time stamp and ID if they were generated as part of the same Audit event.various event-specific
name=valuepairs provided by the kernel or user space applications.
arch=c000003eThe
archfield contains information about the CPU architecture of the system. The value,c000003e, is encoded in hexadecimal notation. When searching Audit records with theausearchcommand, use the-ior--interpretoption to automatically convert hexadecimal values into their human-readable equivalents. Thec000003evalue is interpreted asx86_64.syscall=2The
syscallfield records the type of the system call that was sent to the kernel. The value,2, can be matched with its human-readable equivalent in the/usr/include/asm/unistd_64.hfile. In this case,2is theopensystem call. Note that the ausyscall utility allows you to convert system call numbers to their human-readable equivalents. Use theausyscall --dumpcommand to display a listing of all system calls along with their numbers. For more information, see the ausyscall(8) man page.success=noThe
successfield records whether the system call recorded in that particular event succeeded or failed. In this case, the call did not succeed.exit=-13The
exitfield contains a value that specifies the exit code returned by the system call. This value varies for different system call. You can interpret the value to its human-readable equivalent with the following command:ausearch --interpret --exit -13(assuming your Audit log contains an event that failed with exit code-13).a0=7fffd19c5592,a1=0,a2=7fffd19c5592,a3=aThe
a0toa3fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility.items=1The
itemsfield contains the number of path records in the event.ppid=2686The
ppidfield records the Parent Process ID (PPID). In this case,2686was the PPID of thebashprocess.pid=3538The
pidfield records the Process ID (PID). In this case,3538was the PID of thecatprocess.auid=500The
auidfield records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with thesu - johncommand).uid=500The
uidfield records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command:ausearch -i --uid UID. In this case,500is the user ID of usershadowman.gid=500The
gidfield records the group ID of the user who started the analyzed process.euid=500The
euidfield records the effective user ID of the user who started the analyzed process.suid=500The
suidfield records the set user ID of the user who started the analyzed process.fsuid=500The
fsuidfield records the file system user ID of the user who started the analyzed process.egid=500The
egidfield records the effective group ID of the user who started the analyzed process.sgid=500The
sgidfield records the set group ID of the user who started the analyzed process.fsgid=500The
fsgidfield records the file system group ID of the user who started the analyzed process.tty=pts0The
ttyfield records the terminal from which the analyzed process was invoked.ses=1The
sesfield records the session ID of the session from which the analyzed process was invoked.comm="cat"The
commfield records the command-line name of the command that was used to invoke the analyzed process. In this case, thecatcommand was used to trigger this Audit event.exe="/bin/cat"The
exefield records the path to the executable that was used to invoke the analyzed process.subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023The
subjfield records the SELinux context with which the analyzed process was labeled at the time of execution.key="sshd_config"The
keyfield records the administrator-defined string associated with the rule that generated this event in the Audit log.
Second Record
type=CWDIn the second record, the
typefield value isCWD— current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed.The purpose of this record is to record the current process's location in case a relative path is captured in the associated PATH record. This way the absolute path can be reconstructed.
msg=audit(1364481363.243:24287)The
msgfield holds the same time stamp and ID value as the value in the first record.cwd="/home/shadowman"The
cwdfield contains the path to the directory in which the system call was invoked.
Third Record
type=PATHIn the third record, the
typefield value isPATH. An Audit event contains aPATH-type record for every path that is passed to the system call as an argument. In this Audit event, only one path (/etc/ssh/sshd_config) was used as an argument.msg=audit(1364481363.243:24287):The
msgfield holds the same time stamp and ID value as the value in the first and second record.item=0The
itemfield indicates which item, of the total number of items referenced in theSYSCALLtype record, the current record is. This number is zero-based; a value of0means it is the first item.name="/etc/ssh/sshd_config"The
namefield records the path of the file or directory that was passed to the system call as an argument. In this case, it was the/etc/ssh/sshd_configfile.inode=409248The
inodefield contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the409248inode number:~]#
find / -inum 409248 -print/etc/ssh/sshd_configdev=fd:00The
devfield specifies the minor and major ID of the device that contains the file or directory recorded in this event. In this case, the value represents the/dev/fd/0device.mode=0100600The
modefield records the file or directory permissions, encoded in numerical notation. In this case,0100600can be interpreted as-rw-------, meaning that only the root user has read and write permissions to the/etc/ssh/sshd_configfile.ouid=0The
ouidfield records the object owner's user ID.ogid=0The
ogidfield records the object owner's group ID.rdev=00:00The
rdevfield contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file.obj=system_u:object_r:etc_t:s0The
objfield records the SELinux context with which the recorded file or directory was labeled at the time of execution.
The Audit event analyzed above contains only a subset of all possible fields that an event can contain. For a list of all event fields and their explanation, see SectionB.1, “Audit Event Fields”. For a list of all event types and their explanation, see SectionB.2, “Audit Record Types”.
Example7.5.Additional audit.log events
The following Audit event records a successful start of the auditd daemon. The ver field shows the version of the Audit daemon that was started.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit event records a failed attempt of user with UID of 500 to log in as the root user.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'
