6.5. Defining Audit Rules
- Control rules
- Allow the Audit system's behavior and some of its configuration to be modified.
- File system rules
- Also known as file watches, allow the auditing of access to a particular file or a directory.
- System call rules
- Allow logging of system calls that any specified program makes.
- on the command line using the auditctl utility. Note that these rules are not persistent across reboots. For details, see Section 6.5.1, “Defining Audit Rules with auditctl”
- in the
/etc/audit/audit.rules
file. For details, see Section 6.5.3, “Defining Persistent Audit Rules and Controls in the/etc/audit/audit.rules
File”
6.5.1. Defining Audit Rules with auditctl
auditctl
command allows you to control the basic functionality of the Audit system and to define rules that decide which Audit events are logged.
Note
Defining Control Rules
-b
- sets the maximum amount of existing Audit buffers in the kernel, for example:
~]#
auditctl -b 8192
-f
- sets the action that is performed when a critical error is detected, for example:
~]#
auditctl -f 2
The above configuration triggers a kernel panic in case of a critical error. -e
- enables and disables the Audit system or locks its configuration, for example:
~]#
auditctl -e 2
The above command locks the Audit configuration. -r
- sets the rate of generated messages per second, for example:
~]#
auditctl -r 0
The above configuration sets no rate limit on generated messages. -s
- reports the status of the Audit system, for example:
~]#
auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0 backlog_limit=8192 lost=259 backlog=0 -l
- lists all currently loaded Audit rules, for example:
~]#
auditctl -l
-w /etc/passwd -p wa -k passwd_changes -w /etc/selinux -p wa -k selinux_changes -w /sbin/insmod -p x -k module_insertion ⋮ -D
- deletes all currently loaded Audit rules, for example:
~]#
auditctl -D
No rules
Defining File System Rules
auditctl -w path_to_file -p permissions -k key_name
- path_to_file is the file or directory that is audited.
- permissions are the permissions that are logged:
r
— read access to a file or a directory.w
— write access to a file or a directory.x
— execute access to a file or a directory.a
— change in the file's or directory's attribute.
- key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example 6.1. File System Rules
/etc/passwd
file, execute the following command:
~]# auditctl -w /etc/passwd -p wa -k passwd_changes
-k
option is arbitrary.
/etc/selinux/
directory, execute the following command:
~]# auditctl -w /etc/selinux/ -p wa -k selinux_changes
/sbin/insmod
command, which inserts a module into the Linux kernel, execute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion
Defining System Call Rules
auditctl -a action,filter -S system_call -F field=value -k key_name
- action and filter specify when a certain event is logged. action can be either
always
ornever
. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following:task
,exit
,user
, andexclude
. For more information about these filters, see the beginning of Section 6.1, “Audit System Architecture”. - system_call specifies the system call by its name. A list of all system calls can be found in the
/usr/include/asm/unistd_64.h
file. Several system calls can be grouped into one rule, each specified after its own-S
option. - field=value specifies additional options that further modify the rule to match events based on a specified architecture, group ID, process ID, and others. For a full listing of all available field types and their values, see the auditctl(8) man page.
- key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example 6.2. System Call Rules
adjtimex
or settimeofday
system calls are used by a program, and the system uses the 64-bit architecture, execute the following command:
~]# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
~]# auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-F auid!=4294967295
option is used to exclude users whose login UID is not set.
-w /etc/shadow -p wa
file system rule:
~]# auditctl -a always,exit -F path=/etc/shadow -F perm=wa
6.5.2. Defining Executable File Rules
auditctl -a action,filter [ -F arch=cpu -S system_call] -F exe=path_to_executable_file -k key_name
- action and filter specify when a certain event is logged. action can be either
always
ornever
. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following:task
,exit
,user
, andexclude
. For more information about these filters, see the beginning of Section 6.1, “Audit System Architecture”. - system_call specifies the system call by its name. A list of all system calls can be found in the
/usr/include/asm/unistd_64.h
file. Several system calls can be grouped into one rule, each specified after its own-S
option. - path_to_executable_file is the absolute path to the executable file that is audited.
- key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
Example 6.3. Executable File Rules
/bin/id
program, execute the following command:
~]# auditctl -a always,exit -F exe=/bin/id -F arch=b64 -S execve -k execution_bin_id
6.5.3. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules
File
/etc/audit/audit.rules
file or use the augenrules program that reads rules located in the /etc/audit/rules.d/
directory. The /etc/audit/audit.rules
file uses the same auditctl
command line syntax to specify the rules. Empty lines and text following a hash sign (#
) are ignored.
auditctl
command can also be used to read rules from a specified file using the -R
option, for example:
~]# auditctl -R /usr/share/doc/audit/rules/30-stig.rules
Defining Control Rules
-b
, -D
, -e
, -f
, -r
, --loginuid-immutable
, and --backlog_wait_time
. For more information on these options, see the section called “Defining Control Rules”.
Example 6.4. Control Rules in audit.rules
# Delete all previous rules -D # Set buffer size -b 8192 # Make the configuration immutable -- reboot is required to change audit rules -e 2 # Panic when a failure occurs -f 2 # Generate at most 100 audit messages per second -r 100 # Make login UID immutable once it is set (may break containers) --loginuid-immutable 1
Defining File System and System Call Rules
auditctl
syntax. The examples in Section 6.5.1, “Defining Audit Rules with auditctl” can be represented with the following rules file:
Example 6.5. File System and System Call Rules in audit.rules
-w /etc/passwd -p wa -k passwd_changes -w /etc/selinux/ -p wa -k selinux_changes -w /sbin/insmod -p x -k module_insertion -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Preconfigured Rules Files
/usr/share/doc/audit/rules/
directory, the audit package provides a set of pre-configured rules files according to various certification standards:
30-nispom.rules
— Audit rule configuration that meets the requirements specified in the Information System Security chapter of the National Industrial Security Program Operating Manual.30-pci-dss-v31.rules
— Audit rule configuration that meets the requirements set by Payment Card Industry Data Security Standard (PCI DSS) v3.1.30-stig.rules
— Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG).
/etc/audit/audit.rules
file and copy the configuration file of your choice over the /etc/audit/audit.rules
file:
~]#cp /etc/audit/audit.rules /etc/audit/audit.rules_backup
~]#cp /usr/share/doc/audit/rules/30-stig.rules /etc/audit/audit.rules
Note
/usr/share/doc/audit/rules/README-rules
file.
Using augenrules to Define Persistent Rules
/etc/audit/rules.d/
directory and compiles them into an audit.rules
file. This script processes all files that ends in .rules
in a specific order based on their natural sort order. The files in this directory are organized into groups with following meanings:
- 10 - Kernel and auditctl configuration
- 20 - Rules that could match general rules but you want a different match
- 30 - Main rules
- 40 - Optional rules
- 50 - Server-specific rules
- 70 - System local rules
- 90 - Finalize (immutable)
/etc/audit/rules.d/
. For example, to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize.
/etc/audit/rules.d/
directory, load them by running the augenrules script with the --load
directive:
~]# augenrules --load
augenrules --load No rules
enabled 1
failure 1
pid 634
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
enabled 1
failure 1
pid 634
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
audit.rules(8)
and augenrules(8)
man pages.