The Linux Audit system generates events according to Audit rules.These rules can be set dynamically with the auditctl utility or stored persistently in the /etc/audit/rules.d
folder.Persistent rule files are automatically compiled to /etc/audit/audit.rules
when auditd
is initialized.
There are three types of rules:
A control rule modifies the auditing behavior
A file system rule watches a file or directory
A system call rule logs an event for a particular system call
See Defining Audit Rules in the Red Hat Enterprise Linux Security Guide for further details on Linux Audit rules.
Some common control rules are:
-b backlog
to set the maximum number of audit buffers.Specify a bigger value for busier systems with a high log volume.-D
to delete all rules and watches.This rule is typically the first one.-e [0..2]
to control auditing.The accepted values are0
to disable auditing temporarily,1
to enable it, or2
to lock the configuration until the next reboot (typically the last rule).
Example 1. Linux Audit control rules
The following is a set of basic rules commonly found in rulesets.
# Delete all rules (typically the first rule)-D# Increase buffers from the default 64 to 320-b 320# Lock Audit rules until the next reboot (the last rule)-e 2
To create a file system rule, use -w path -p permissions -k key_name
as follows:
The
path
argument defines the file or directory you want to audit.The
permissions
argument sets the type of access to audit.It accepts a combination ofr
(read access),w
(write access),x
(execute access), anda
(attribute change).The
key_name
argument is an optional tag for identifying the rule.
Example 2. Linux Audit file system rule
This rule monitors /etc/passwd
for modifications and tags access events with passwd
.
-w /etc/passwd -p wa -k passwd
To create a system call rule, use -a action,filter -S system_call -F field=value -k key_name
as follows:
The
action
argument can be eitheralways
(to generate a log entry) ornever
(to suppress a log entry).Generally, you addalways
rules first because rules are matched from top to bottom.The
filter
argument is one oftask
(when a task is created),exit
(when a system call exits),user
(when a call originates from user space), orexclude
(to filter events).The
system_call
argument specifies the system call name.You can specify the-S
flag more than once to monitor multiple system calls.The
field=value
pair can be used for additional filtering options and can also be specified more than once.The
key_name
argument is an optional tag for identifying the rule.
Example 3. Linux Audit system call rule
This rule audits system time changes.
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k system_time
System call rules can audit activities related to files, such as:
Creation
Modification
Deletion
Changes in access permissions and ownership
Example 4. Linux Audit file deletion rule
This rule audits file deletions with the unlink
or rename
command.
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
You can also audit network connections with system call rules.
Example 5. Linux Audit networking rule
This rule audits successful incoming or outgoing external network connections.
-a always,exit -F arch=b64 -S accept,connect -F key=external-access
Combine the different rules to create a ruleset.
Example 6. Linux Audit rules file
Below is a simple Linux Audit ruleset based on the above examples.
/etc/audit/rules.d/audit.rules
# Delete all rules-D# Increase buffers from the default 64 to 320-b 320# Watch /etc/passwd for modifications and tag with 'passwd'-w /etc/passwd -p wa -k passwd# Audit system time changes-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k system_time# Lock Audit rules until the next reboot-e 2
See The Linux Audit Project and auditd-attack repositories on GitHub for more examples.