Mastering auditd in RHEL: Ensuring Security Through Auditing 

In the world of Red Hat Enterprise Linux (RHEL), securing your systems against unauthorised access and ensuring compliance with security policies are key priorities. One of the most powerful tools at your disposal for this task is auditd, the Linux Auditing System’s user-space component. 

This technical blog dives into what auditd is, its uses, benefits, the structure of its rules and how you can deploy it to detect unauthorised access and other security-relevant events.

What is auditd?

auditd is a key part of the Linux Auditing System, designed to monitor and record system activities based on rules defined by the system administrator. It captures detailed information about security-relevant events, logging them for later analysis. This can range from system startup and shutdown to file access, network events and even security breach attempts.

How to use auditd

Organizations can use auditd in several ways. Here are some of them: 

1. Security Monitoring and Compliance 

Auditd is instrumental in security monitoring and compliance. It helps in tracking any changes or attempts to change sensitive parts of the system, ensuring that any unauthorised access attempts are logged and can be investigated. 

2. Intrusion Detection 

By monitoring system calls and file accesses, auditd can act as a basic form of intrusion detection, alerting administrators to potentially malicious activities. 

3. Forensic Analysis 

In the event of a security breach, the detailed logs provided by auditd can be crucial in forensic analysis, helping you understand how the breach occurred and how to prevent future occurrences.

Benefits of Using auditd

auditd offers many benefits to system administrators. Below are only a few of them: 

1. Comprehensive Logging: auditd provides detailed information about every tracked event, including the time, type of event and the user involved
2. Customisation Rules: Administrators can define specific rules that tailor the logging to their security needs
3. Security and Compliance: auditd helps in maintaining compliance with security policies and regulatory requirements by providing a detailed auditd trail 
4. Forensics: The detailed logs serve as a valuable resource for forensic analysis after a security incident

Structure of auditd Rules

auditd rules can be broadly categorized into control rules, file system rules and system call rules. These categories define what activities to log and how to log them. Here’s a brief overview: 

• Control Rules: These rules manage how the audit system operates, setting parameters like the maximum number of active rules or how long logs are kept 
• File System Rules: These specify monitoring of access to certain files or directories 
• System Call Rules: Used to track the use of system calls by users or processes 

Rules can be added to /etc/audit/rules.d/audit.rules or directly via the auditctl command.

Examples of auditd Rules

If you’re still uncertain of how you can execute auditd, check out these examples below. 

1. Monitoring File Access 

To monitor all access to /etc/passwd, you could use:

-w /etc/passwd -p warx -k passwd_changes 

 This rule watches (-w) the /etc/passwd file for write (w), attribute change (a), read (r), and execute (x) operations, tagging entries with passwd_changes for easy filtering.

2. Tracking Login and Logout Events

To track user login/logout events:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 

Deploying auditd to Detect Unauthorised Access

To effectively use auditd for detecting unauthorised access, consider the following strategies: 

• Monitor sensitive files by creating rules to track access to confidential files and directories 
• Track privileged commands using system call rules to log the execution of privileged commands 
• Auditd logins and logouts by keeping track of user logins, logouts and session management to detect unauthorised access attempts 
• Regularly review auditd logs, looking for anomalies or unauthorised access attempts

auditd: Beyond Basic Configuration

While auditd is instrumental in monitoring system activities under normal circumstances, its significance is magnified on a CIS-hardened RHEL system. Here, auditd can be configured to specifically monitor for changes or attempts to change security settings and compliance with CIS benchmarks. 

Key Areas for auditd Monitoring on a CIS-Hardened System

1. User and Group Management 

CIS benchmarks recommend strict policies on user creation, management and privileges. auditd can monitor relevant system calls to these activities, such as useradd, groupadd and any changes to /etc/passwd, /etc/shadow or /etc/group. 

Example Rule:

-w /etc/passwd -p wa -k user_changes  
 -w /etc/shadow -p wa -k password_changes  
 -w /etc/group -p wa -k group_changes  

2. File and Directory Permissions 

CIS guidelines specify secure default permissions for files and directories. auditd can help ensure these permissions aren’t improperly modified. 

Example Rule: 

-w /etc/ssh/sshd_config -p wa -k ssh_config_changes 

3. System and Network Configuration 

Monitoring changes to system and network configurations is vital. This includes tracking modifications to firewall settings or network service configurations. 

Example Rule: 

-a always,exit -F arch=b64 -S setsockopt,setsockcreate -k network_changes 

4. Authentication and Authorisation Mechanisms 

With CIS benchmarks, mechanisms like SELinux, sudo configurations and PAM are tightly controlled. You can craft auditd rules to monitor any alterations to these configurations. 

Example Rule:

-w /etc/sudoers -p wa -k sudoers_change  
 -w /etc/selinux/ -p wa -k selinux_change  
 -w /etc/pam.d/ -p wa -k pam_change 

5. Logging and Auditing Configurations 

It’s crucial to ensure that auditing itself is not tampered with to maintain system security. Monitoring changes to auditd configurations and log files is a must. 

Example Rule: 

-w /etc/audit/ -p wa -k audit_config_change  
 -w /var/log/ -p wa -k log_access 

Implementing Auditd in a CIS-Hardened Environment 

To effectively implement auditd monitoring on a CIS-hardened RHEL system, administrators should: 

• Understand the specific recommendations for RHEL and identify key areas for monitoring 
• Tailor auditd rules to closely monitor compliance with CIS recommendations, focusing on critical areas like user management, file permissions and system configurations 
• Regularly review auditd logs for anomalies or non-compliance with CIS benchmarks. Automated tools and scripts can assist in highlighting discrepancies. Use external logging systems to aggregate the logs from multiple systems and analyze the logs to find patterns 
• As CIS benchmarks evolve, update your auditd rules to cover new or updated recommendations 

We hope this guide helped you understand how auditd works and how it can help you strengthen system security. If you need guidance on executing auditd, Insentra is here to assist you. Contact us today to start a conversation on how we can improve your security posture.