System Accounting with auditd

Post date: Oct 10, 2012 2:30:40 PM

The auditd service is provided for system auditing. By default, the service audits about security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. The audit service, configured with at least its default rules, is strongly recommended for all sites. Note that comprehensive auditing might affect your system's performance.

1.Enable the auditd service

Ensure that the auditd service is enabled by running

chkconfig auditd on

2.Configure auditd data retention

3.Configure auditd rules for comprehensive auditing

# cp /usr/share/doc/audit-1.7.17/stig.rules /etc/audit/audit.rules

4.Record events that modify date and time information

Add the following to /etc/audit/audit.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change

-a always,exit -F arch=b64 -S clock_settime -k time-change

-w /etc/localtime -p wa -k time-change

5.Record events that modify user/group information

Add the following to /etc/audit/audit.rules, to capture events that modify account changes:

-w /etc/group -p wa -k identity

-w /etc/passwd -p wa -k identity

-w /etc/gshadow -p wa -k identity

-w /etc/shadow -p wa -k identity

-w /etc/security/opasswd -p wa -k identity

6.Record attempts to alter logon and logout events

The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing logon events, add the following to /etc/audit/audit.rules:

-w /var/log/faillog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

7.Record attempts to alter process and session initiation information

The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to /etc/audit/audit.rules:

-w /var/run/utmp -p wa -k session

-w /var/log/btmp -p wa -k session

-w /var/log/wtmp -p wa -k session

8.Ensure auditd collects discretionary access control permission modification events

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules,

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

9.Ensure auditd collects unauthorized (and unsuccessful) attempts to access files

At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access