How to use audit to monitor a specific SYSCALL?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

  • Do you need to know when a certain syscall was executed on the system.
  • For example, do you need to have all evidences about a kill that was performed on the system.

Resolution

  • Create an audit rule with the following information:

  • Red Hat Enterprise Linux 5

    # vim /etc/audit/audit.rules
    -a entry,always -F arch=b64 -S kill -k teste_kill
    
  • Red Hat Enterprise Linux 6 & 7

    # vim /etc/audit/rules.d/audit.rules
    -a always,exit -F arch=b64 -S kill -k teste_kill
    
    # augenrules --load
    

    Note: "arch" is the CPU architecture of the syscall. If the system is 32 bit OS, you need to set it with "arch=b32". Please refer to man auditctl page, AUDITCTL:(8) for details.

  • Restart audit service:

    # service auditd restart
    
  • Test the rule running a kill against some process. In this example we will create and destroy the sleep proccess:

    # sleep 100
    
    # ps aux | grep sleep
    
    root      1968  0.0  0.0  58876   504 pts/3    S+   16:01   0:00 sleep 100
    root      1975  0.0  0.0  61136   736 pts/4    S+   16:01   0:00 grep sleep
    
    # kill 1968
    
    # tail -f /var/log/audit/audit.log
    type=SYSCALL msg=audit(1279134100.434:193): arch=c000003e syscall=62 success=yes exit=0 a0=7b0 a1=f a2=0 a3=0 items=0 ppid=1602 pid=1605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="bash" exe="/bin/bash" key="teste_kill"
    type=OBJ_PID msg=audit(1279134100.434:193): opid=1968 oauid=-1 ouid=0 oses=-1 obj=<NULL> ocomm="sleep"
    
  • Use audit search to find out the piece of log related to the kill command based on the key we specified in the first step:

    # ausearch -k teste_kill
    ----
    time->Wed Jul 14 16:00:17 2010
    type=CONFIG_CHANGE msg=audit(1279134017.731:186): auid=4294967295 op=add rule key="teste_kill" list=2 res=1
    ----
    time->Wed Jul 14 16:01:40 2010
    type=OBJ_PID msg=audit(1279134100.434:193): opid=1968 oauid=-1 ouid=0 oses=-1 obj=<NULL> ocomm="sleep"
    type=SYSCALL msg=audit(1279134100.434:193): arch=c000003e syscall=62 success=yes exit=0 a0=7b0 a1=f a2=0 a3=0 items=0 ppid=1602 pid=1605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="bash" exe="/bin/bash" key="teste_kill"
    

References:
- http://people.redhat.com/sgrubb/audit/audit-parse.txt

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments