jason-idk/auditd.txt

## auditd.txt
System Auditing with Auditd:

About: auditd is the user-space component of the Linux auditing subsystem. When auditd is running audit messages sent by the kernel
will be collected in the log file configured for auditd (normally /var/log/audit/audit.log). If auditd is not running for any reason
kernel audit messages will be sent to rsyslog.


Configuration files:
- /etc/sysconfig/auditd	(startup options)
- /etc/audit/auditd.conf (main config file)
- /etc/audit/audit.rules (persistant sudit rules)


LOGGING:
All messages are logged to /var/log/audit/audit.log

Searching for Events:

The auditing system ships with a powerful tool for searching audit logs: ausearch. Not only does ausearch let you easily search for
various types of events and filter on those, it can also interpret events for you by translating numeric values into (more) readable
values like usernames or system call names.


Command options:
# ausearch

-i (Interpret log line, translate numeric values into names)

--raw (Print raw log entries, do not put record separators between entries.)

-a <EVENT-ID> (Show all lines for the event with <EVENT-ID> as the event ID.)

--file <FILENAME> (Search for all events touching a specific filename.)

-k <KEY> (Search for all events labeled with <KEY>)

--start [start-date] [start-time] (Only search for events after start-date and start-time.)


Reporting on certain events:
# aureport


Tracing a program:
# autrace /bin/command

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remote Logging with auditd:


There are two main ways to send audit messages to a remote system. Both methods use custom Audit Dispatching with audispd. audispd is
configured in /etc/audisp/audispd.conf, with plug-ins being configured in /etc/audisp/plugins.d/*.conf

The first way to send messages to a remote server is to use syslog. By setting active = yes in /etc/audisp/plugins.d/syslog.conf all
audit messages will also be sent to syslog after restarting auditd. The log priority and service to be used can also be set in that
same configuration file. After sending messages to syslog you can now configure your syslog server of choice to send these message to
a remote server.

The second way of sending audit messages to a remote server is to use the native raw audit protocol over TCP. On the server that will
receive the message you will have to configure the tcp_listen_port setting in /etc/audit/auditd.conf, with the default port being 60.

On every client that will be sending audit messages to your central server you will have to install the audispd-plugins package. After
installation you can enable remote logging in /etc/audisp/plugins.d/au-remote.conf by setting active = yes. To configure where messages
are sent configure the remote_server setting in /etc/audisp/audisp-remote.conf.
	System Auditing with Auditd:

	About: auditd is the user-space component of the Linux auditing subsystem. When auditd is running audit messages sent by the kernel
	will be collected in the log file configured for auditd (normally /var/log/audit/audit.log). If auditd is not running for any reason
	kernel audit messages will be sent to rsyslog.


	Configuration files:
	- /etc/sysconfig/auditd (startup options)
	- /etc/audit/auditd.conf (main config file)
	- /etc/audit/audit.rules (persistant sudit rules)


	LOGGING:
	All messages are logged to /var/log/audit/audit.log

	Searching for Events:

	The auditing system ships with a powerful tool for searching audit logs: ausearch. Not only does ausearch let you easily search for
	various types of events and filter on those, it can also interpret events for you by translating numeric values into (more) readable
	values like usernames or system call names.


	Command options:
	# ausearch

	-i (Interpret log line, translate numeric values into names)

	--raw (Print raw log entries, do not put record separators between entries.)

	-a <EVENT-ID> (Show all lines for the event with <EVENT-ID> as the event ID.)

	--file <FILENAME> (Search for all events touching a specific filename.)

	-k <KEY> (Search for all events labeled with <KEY>)

	--start [start-date] [start-time] (Only search for events after start-date and start-time.)


	Reporting on certain events:
	# aureport


	Tracing a program:
	# autrace /bin/command

	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Remote Logging with auditd:


	There are two main ways to send audit messages to a remote system. Both methods use custom Audit Dispatching with audispd. audispd is
	configured in /etc/audisp/audispd.conf, with plug-ins being configured in /etc/audisp/plugins.d/*.conf

	The first way to send messages to a remote server is to use syslog. By setting active = yes in /etc/audisp/plugins.d/syslog.conf all
	audit messages will also be sent to syslog after restarting auditd. The log priority and service to be used can also be set in that
	same configuration file. After sending messages to syslog you can now configure your syslog server of choice to send these message to
	a remote server.

	The second way of sending audit messages to a remote server is to use the native raw audit protocol over TCP. On the server that will
	receive the message you will have to configure the tcp_listen_port setting in /etc/audit/auditd.conf, with the default port being 60.

	On every client that will be sending audit messages to your central server you will have to install the audispd-plugins package. After
	installation you can enable remote logging in /etc/audisp/plugins.d/au-remote.conf by setting active = yes. To configure where messages
	are sent configure the remote_server setting in /etc/audisp/audisp-remote.conf.