7.6. Understanding Audit Log Files
By default, the Audit system stores log entries in the
/var/log/audit/audit.logfile; if log rotation is enabled, rotated
audit.logfiles are stored in the same directory.
The following Audit rule logs every attempt to read or modify the
-w /etc/ssh/sshd_config -p warx -k sshd_config
auditddaemon is running, running the following command creates a new event in the Audit log file:
This event in the
audit.logfile looks as follows:
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config" type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman" type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
The above event consists of three records (each starting with the
type=keyword), which share the same time stamp and serial number. Each record consists of several
name=valuepairs separated by a white space or a comma. A detailed analysis of the above event follows:
typefield contains the type of the record. In this example, the
SYSCALLvalue specifies that this record was triggered by a system call to the kernel.For a list of all possible type values and their explanations, see Section B.2, “Audit Record Types”.
- a time stamp and a unique ID of the record in the form
audit(time_stamp:ID). Multiple records can share the same time stamp and ID if they were generated as part of the same Audit event.
- various event-specific
name=valuepairs provided by the kernel or user space applications.
archfield contains information about the CPU architecture of the system. The value,
c000003e, is encoded in hexadecimal notation. When searching Audit records with the
ausearchcommand, use the
--interpretoption to automatically convert hexadecimal values into their human-readable equivalents. The
c000003evalue is interpreted as
syscallfield records the type of the system call that was sent to the kernel. The value,
2, can be matched with its human-readable equivalent in the
/usr/include/asm/unistd_64.hfile. In this case,
opensystem call. Note that the ausyscall utility allows you to convert system call numbers to their human-readable equivalents. Use the
ausyscall --dumpcommand to display a listing of all system calls along with their numbers. For more information, see the ausyscall(8) man page.
successfield records whether the system call recorded in that particular event succeeded or failed. In this case, the call did not succeed.
exitfield contains a value that specifies the exit code returned by the system call. This value varies for different system call. You can interpret the value to its human-readable equivalent with the following command:
ausearch --interpret --exit -13(assuming your Audit log contains an event that failed with exit code
a3fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility.
itemsfield contains the number of path records in the event.
ppidfield records the Parent Process ID (PPID). In this case,
2686was the PPID of the
pidfield records the Process ID (PID). In this case,
3538was the PID of the
auidfield records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with the
su - johncommand).
uidfield records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command:
ausearch -i --uid UID. In this case,
500is the user ID of user
gidfield records the group ID of the user who started the analyzed process.
euidfield records the effective user ID of the user who started the analyzed process.
suidfield records the set user ID of the user who started the analyzed process.
fsuidfield records the file system user ID of the user who started the analyzed process.
egidfield records the effective group ID of the user who started the analyzed process.
sgidfield records the set group ID of the user who started the analyzed process.
fsgidfield records the file system group ID of the user who started the analyzed process.
ttyfield records the terminal from which the analyzed process was invoked.
sesfield records the session ID of the session from which the analyzed process was invoked.
commfield records the command-line name of the command that was used to invoke the analyzed process. In this case, the
catcommand was used to trigger this Audit event.
exefield records the path to the executable that was used to invoke the analyzed process.
subjfield records the SELinux context with which the analyzed process was labeled at the time of execution.
keyfield records the administrator-defined string associated with the rule that generated this event in the Audit log.
- In the second record, the
typefield value is
CWD— current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed.The purpose of this record is to record the current process's location in case a relative path is captured in the associated PATH record. This way the absolute path can be reconstructed.
msgfield holds the same time stamp and ID value as the value in the first record.
cwdfield contains the path to the directory in which the system call was invoked.
- In the third record, the
typefield value is
PATH. An Audit event contains a
PATH-type record for every path that is passed to the system call as an argument. In this Audit event, only one path (
/etc/ssh/sshd_config) was used as an argument.
msgfield holds the same time stamp and ID value as the value in the first and second record.
itemfield indicates which item, of the total number of items referenced in the
SYSCALLtype record, the current record is. This number is zero-based; a value of
0means it is the first item.
namefield records the path of the file or directory that was passed to the system call as an argument. In this case, it was the
inodefield contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the
find / -inum 409248 -print/etc/ssh/sshd_config
devfield specifies the minor and major ID of the device that contains the file or directory recorded in this event. In this case, the value represents the
modefield records the file or directory permissions, encoded in numerical notation. In this case,
0100600can be interpreted as
-rw-------, meaning that only the root user has read and write permissions to the
ouidfield records the object owner's user ID.
ogidfield records the object owner's group ID.
rdevfield contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file.
objfield records the SELinux context with which the recorded file or directory was labeled at the time of execution.
The Audit event analyzed above contains only a subset of all possible fields that an event can contain. For a list of all event fields and their explanation, see Section B.1, “Audit Event Fields”. For a list of all event types and their explanation, see Section B.2, “Audit Record Types”.
Example 7.5. Additional
The following Audit event records a successful start of the
verfield shows the version of the Audit daemon that was started.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit event records a failed attempt of user with UID of 500 to log in as the root user.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'