The Linux Audit system generates events according to Audit rules.These rules can be set dynamically with the auditctl utility or stored persistently in the /etc/audit/rules.d folder.Persistent rule files are automatically compiled to /etc/audit/audit.rules when auditd is initialized.
There are three types of rules:
A control rule modifies the auditing behavior
A file system rule watches a file or directory
A system call rule logs an event for a particular system call
See Defining Audit Rules in the Red Hat Enterprise Linux Security Guide for further details on Linux Audit rules.
Some common control rules are:
-b backlogto set the maximum number of audit buffers.Specify a bigger value for busier systems with a high log volume.-Dto delete all rules and watches.This rule is typically the first one.-e [0..2]to control auditing.The accepted values are0to disable auditing temporarily,1to enable it, or2to lock the configuration until the next reboot (typically the last rule).
Example 1. Linux Audit control rules
The following is a set of basic rules commonly found in rulesets.
# Delete all rules (typically the first rule)-D# Increase buffers from the default 64 to 320-b 320# Lock Audit rules until the next reboot (the last rule)-e 2
To create a file system rule, use -w path -p permissions -k key_name as follows:
The
pathargument defines the file or directory you want to audit.The
permissionsargument sets the type of access to audit.It accepts a combination ofr(read access),w(write access),x(execute access), anda(attribute change).The
key_nameargument is an optional tag for identifying the rule.
Example 2. Linux Audit file system rule
This rule monitors /etc/passwd for modifications and tags access events with passwd.
-w /etc/passwd -p wa -k passwd
To create a system call rule, use -a action,filter -S system_call -F field=value -k key_name as follows:
The
actionargument can be eitheralways(to generate a log entry) ornever(to suppress a log entry).Generally, you addalwaysrules first because rules are matched from top to bottom.The
filterargument is one oftask(when a task is created),exit(when a system call exits),user(when a call originates from user space), orexclude(to filter events).The
system_callargument specifies the system call name.You can specify the-Sflag more than once to monitor multiple system calls.The
field=valuepair can be used for additional filtering options and can also be specified more than once.The
key_nameargument is an optional tag for identifying the rule.
Example 3. Linux Audit system call rule
This rule audits system time changes.
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k system_time
System call rules can audit activities related to files, such as:
Creation
Modification
Deletion
Changes in access permissions and ownership
Example 4. Linux Audit file deletion rule
This rule audits file deletions with the unlink or rename command.
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
You can also audit network connections with system call rules.
Example 5. Linux Audit networking rule
This rule audits successful incoming or outgoing external network connections.
-a always,exit -F arch=b64 -S accept,connect -F key=external-access
Combine the different rules to create a ruleset.
Example 6. Linux Audit rules file
Below is a simple Linux Audit ruleset based on the above examples.
/etc/audit/rules.d/audit.rules
# Delete all rules-D# Increase buffers from the default 64 to 320-b 320# Watch /etc/passwd for modifications and tag with 'passwd'-w /etc/passwd -p wa -k passwd# Audit system time changes-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k system_time# Lock Audit rules until the next reboot-e 2
See The Linux Audit Project and auditd-attack repositories on GitHub for more examples.
