In the world of Red Hat Enterprise Linux (RHEL), securing your systems against unauthorised access and ensuring compliance with security policies are key priorities. One of the most powerful tools at your disposal for this task is auditd, the Linux Auditing System’s user-space component.
This technical blog dives into what auditd is, its uses, benefits, the structure of its rules and how you can deploy it to detect unauthorised access and other security-relevant events.
What is auditd?
auditd is a key part of the Linux Auditing System, designed to monitor and record system activities based on rules defined by the system administrator. It captures detailed information about security-relevant events, logging them for later analysis. This can range from system startup and shutdown to file access, network events and even security breach attempts.
How to use auditd
Organizations can use auditd in several ways. Here are some of them:
- Security Monitoring and Compliance
Auditd is instrumental in security monitoring and compliance. It helps in tracking any changes or attempts to change sensitive parts of the system, ensuring that any unauthorised access attempts are logged and can be investigated.
- Intrusion Detection
By monitoring system calls and file accesses, auditd can act as a basic form of intrusion detection, alerting administrators to potentially malicious activities.
- Forensic Analysis
In the event of a security breach, the detailed logs provided by auditd can be crucial in forensic analysis, helping you understand how the breach occurred and how to prevent future occurrences.
Benefits of Using auditd
auditd offers many benefits to system administrators. Below are only a few of them:
- Comprehensive Logging: auditd provides detailed information about every tracked event, including the time, type of event and the user involved
- Customisation Rules: Administrators can define specific rules that tailor the logging to their security needs
- Security and Compliance: auditd helps in maintaining compliance with security policies and regulatory requirements by providing a detailed auditd trail
- Forensics: The detailed logs serve as a valuable resource for forensic analysis after a security incident
Structure of auditd Rules
auditd rules can be broadly categorized into control rules, file system rules and system call rules. These categories define what activities to log and how to log them. Here’s a brief overview:
- Control Rules: These rules manage how the audit system operates, setting parameters like the maximum number of active rules or how long logs are kept
- File System Rules: These specify monitoring of access to certain files or directories
- System Call Rules: Used to track the use of system calls by users or processes
Rules can be added to /etc/audit/rules.d/audit.rules or directly via the auditctl command.
Examples of auditd Rules
If you’re still uncertain of how you can execute auditd, check out these examples below.
- Monitoring File Access
To monitor all access to /etc/passwd, you could use:
-w /etc/passwd -p warx -k passwd_changes
This rule watches (-w) the /etc/passwd file for write (w), attribute change (a), read (r), and execute (x) operations, tagging entries with passwd_changes for easy filtering.
- Tracking Login and Logout Events
To track user login/logout events:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Deploying auditd to Detect Unauthorised Access
To effectively use auditd for detecting unauthorised access, consider the following strategies:
- Monitor sensitive files by creating rules to track access to confidential files and directories
- Track privileged commands using system call rules to log the execution of privileged commands
- Auditd logins and logouts by keeping track of user logins, logouts and session management to detect unauthorised access attempts
- Regularly review auditd logs, looking for anomalies or unauthorised access attempts
auditd: Beyond Basic Configuration
While auditd is instrumental in monitoring system activities under normal circumstances, its significance is magnified on a CIS-hardened RHEL system. Here, auditd can be configured to specifically monitor for changes or attempts to change security settings and compliance with CIS benchmarks.
Key Areas for auditd Monitoring on a CIS-Hardened System
- User and Group Management
CIS benchmarks recommend strict policies on user creation, management and privileges. auditd can monitor relevant system calls to these activities, such as useradd, groupadd and any changes to /etc/passwd, /etc/shadow or /etc/group.
Example Rule:
-w /etc/passwd -p wa -k user_changes
-w /etc/shadow -p wa -k password_changes
-w /etc/group -p wa -k group_changes
- File and Directory Permissions
CIS guidelines specify secure default permissions for files and directories. auditd can help ensure these permissions aren’t improperly modified.
Example Rule:
-w /etc/ssh/sshd_config -p wa -k ssh_config_changes
- System and Network Configuration
Monitoring changes to system and network configurations is vital. This includes tracking modifications to firewall settings or network service configurations.
Example Rule:
-a always,exit -F arch=b64 -S setsockopt,setsockcreate -k network_changes
- Authentication and Authorisation Mechanisms
With CIS benchmarks, mechanisms like SELinux, sudo configurations and PAM are tightly controlled. You can craft auditd rules to monitor any alterations to these configurations.
Example Rule:
-w /etc/sudoers -p wa -k sudoers_change
-w /etc/selinux/ -p wa -k selinux_change
-w /etc/pam.d/ -p wa -k pam_change
- Logging and Auditing Configurations
It’s crucial to ensure that auditing itself is not tampered with to maintain system security. Monitoring changes to auditd configurations and log files is a must.
Example Rule:
-w /etc/audit/ -p wa -k audit_config_change
-w /var/log/ -p wa -k log_access
Implementing Auditd in a CIS-Hardened Environment
To effectively implement auditd monitoring on a CIS-hardened RHEL system, administrators should:
- Understand the specific recommendations for RHEL and identify key areas for monitoring
- Tailor auditd rules to closely monitor compliance with CIS recommendations, focusing on critical areas like user management, file permissions and system configurations
- Regularly review auditd logs for anomalies or non-compliance with CIS benchmarks. Automated tools and scripts can assist in highlighting discrepancies. Use external logging systems to aggregate the logs from multiple systems and analyze the logs to find patterns
- As CIS benchmarks evolve, update your auditd rules to cover new or updated recommendations
We hope this guide helped you understand how auditd works and how it can help you strengthen system security. If you need guidance on executing auditd, Insentra is here to assist you. Contact us today to start a conversation on how we can improve your security posture.