In the world of Red Hat Enterprise Linux (RHEL), securing your systems against unauthorised access and ensuring compliance with security policies are key priorities. One of the most powerful tools at your disposal for this task is auditd, the Linux Auditing System’s user-space component. <\/p>\n\n\n\n
This technical blog dives into what auditd is, its uses, benefits, the structure of its rules and how you can deploy it to detect unauthorised access and other security-relevant events.<\/p>\n\n\n\n
auditd is a key part of the Linux Auditing System, designed to monitor and record system activities based on rules defined by the system administrator. It captures detailed information about security-relevant events, logging them for later analysis. This can range from system startup and shutdown to file access, network events and even security breach attempts.<\/p>\n\n\n\n
Organisations can use auditd in several ways. Here are some of them: <\/p>\n\n\n\n
Auditd is instrumental in security monitoring and compliance. It helps in tracking any changes or attempts to change sensitive parts of the system, ensuring that any unauthorised access attempts are logged and can be investigated. <\/p>\n\n\n\n
By monitoring system calls and file accesses, auditd can act as a basic form of intrusion detection, alerting administrators to potentially malicious activities. <\/p>\n\n\n\n
In the event of a security breach, the detailed logs provided by auditd can be crucial in forensic analysis, helping you understand how the breach occurred and how to prevent future occurrences.<\/p>\n\n\n\n
auditd offers many benefits to system administrators. Below are only a few of them: <\/p>\n\n\n\n
auditd rules can be broadly categorised into control rules, file system rules and system call rules. These categories define what activities to log and how to log them. Here\u2019s a brief overview: <\/p>\n\n\n\n
Rules can be added to \/etc\/audit\/rules.d\/audit.rules or directly via the auditctl<\/strong> command.<\/p>\n\n\n\n If you\u2019re still uncertain of how you can execute auditd, check out these examples below. <\/p>\n\n\n\n To monitor all access to \/etc\/passwd, you could use:<\/p>\n\n\n\n This rule watches (-w) the \/etc\/passwd file for write (w), attribute change (a), read (r), and execute (x) operations, tagging entries with passwd_changes for easy filtering.<\/p>\n\n\n\n To track user login\/logout events:<\/p>\n\n\n\n To effectively use auditd for detecting unauthorised access, consider the following strategies: <\/p>\n\n\n\n While auditd is instrumental in monitoring system activities under normal circumstances, its significance is magnified on a CIS-hardened RHEL system. Here, auditd can be configured to specifically monitor for changes or attempts to change security settings and compliance with CIS benchmarks. <\/p>\n\n\n\n CIS benchmarks recommend strict policies on user creation, management and privileges. auditd can monitor relevant system calls to these activities, such as useradd, groupadd and any changes to \/etc\/passwd, \/etc\/shadow or \/etc\/group. <\/p>\n\n\n\n Example Rule:<\/p>\n\n\n\n CIS guidelines specify secure default permissions for files and directories. auditd can help ensure these permissions aren\u2019t improperly modified. <\/p>\n\n\n\n Example Rule: <\/p>\n\n\n\n Monitoring changes to system and network configurations is vital. This includes tracking modifications to firewall settings or network service configurations. <\/p>\n\n\n\n Example Rule: <\/p>\n\n\n\n With CIS benchmarks, mechanisms like SELinux, sudo configurations and PAM are tightly controlled. You can craft auditd rules to monitor any alterations to these configurations. <\/p>\n\n\n\n Example Rule:<\/p>\n\n\n\n It\u2019s crucial to ensure that auditing itself is not tampered with to maintain system security. Monitoring changes to auditd configurations and log files is a must. <\/p>\n\n\n\n Example Rule: <\/p>\n\n\n\n Implementing Auditd in a CIS-Hardened Environment<\/strong> <\/p>\n\n\n\n To effectively implement auditd monitoring on a CIS-hardened RHEL system, administrators should: <\/p>\n\n\n\nExamples of auditd Rules<\/h2>\n\n\n\n
\n
-w \/etc\/passwd -p warx -k passwd_changes <\/code><\/pre>\n\n\n\n\n
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale <\/code><\/pre>\n\n\n\nDeploying auditd to Detect Unauthorised Access<\/h2>\n\n\n\n
\n
auditd: Beyond Basic Configuration<\/h2>\n\n\n\n
Key Areas for auditd Monitoring on a CIS-Hardened System<\/h2>\n\n\n\n
\n
-w \/etc\/passwd -p wa -k user_changes \n
\n-w \/etc\/shadow -p wa -k password_changes \n
\n-w \/etc\/group -p wa -k group_changes \n<\/code><\/pre>\n\n\n\n\n
-w \/etc\/ssh\/sshd_config -p wa -k ssh_config_changes <\/code><\/pre>\n\n\n\n\n
-a always,exit -F arch=b64 -S setsockopt,setsockcreate -k network_changes <\/code><\/pre>\n\n\n\n\n
-w \/etc\/sudoers -p wa -k sudoers_change \n
\n-w \/etc\/selinux\/ -p wa -k selinux_change \n
\n-w \/etc\/pam.d\/ -p wa -k pam_change <\/code><\/pre>\n\n\n\n\n
-w \/etc\/audit\/ -p wa -k audit_config_change \n
\n-w \/var\/log\/ -p wa -k log_access <\/code><\/pre>\n\n\n\n\n