Skip to content

Instantly share code, notes, and snippets.

@tuxfight3r

tuxfight3r/auditctl_notes.md

Last active August 25, 2021 18:47
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tuxfight3r/c0944b776cbf50ffc6d248448363b290 to your computer and use it in GitHub Desktop.
Save tuxfight3r/c0944b776cbf50ffc6d248448363b290 to your computer and use it in GitHub Desktop.
Download ZIP
audit search / trace commands
Raw
auditctl_notes.md

Auditctl options

We can add and configure rules with the auditctl command.

Possible options are:

  • -l — print out a list of existing rules
  • -а — add a new rule
  • -d — delete an existing rule
  • -D — delete all existing rules

To create a new rule, we have to run a command with the following syntax:

auditctl -a , -S  -F

After the -a option, we enter the list we wish to add rules to. There are five kinds of lists:

  • task — events related to creating new processes
  • entry — events that take place on system call entrance
  • exit — events that take place on system call exit
  • user — events that use user space parameters
  • exclude — used for excluding events

Then we enter the action to be taken when the event occurs. Here we have two options: always (enter the event in the log) or never (don’t enter the event).

After the -S option, we enter the name of the system call the event needs to be intercepted for (open, close, etc.).

#We can set additional filters after the -F option. For example, if we need to audit references to files from the /etc catalog, the rule would like like the following:
$ auditctl -a exit,always -S open -F path =/etc/

#We can add an extra filter:
$ auditctl -a exit,always -S open -F path =/etc/ -F perm = aw

The aw abbreviation can be broken down as: а – attribute change, w -write. The formula perm = aw means that all attribute changes and writes in the /etc directory need to be tracked.

When configuring tracking for individual files, we can retract the -S option, for example:

$ auditctl -a exit,always -F path =/etc/ -F perm = aw

Restart auditd for picking up newchanges from /etc/auditd/rules.d/

service auditd restart
Raw
auditd_notes.md

AUDIT TRACE

#trace process usage with audit
autrace -r program program-args
autrace /bin/ls /tmp

# resource usage mode
autrace -r /bin/ls

AUDIT SEARCH

#check for resource usage for a specific pid
ausearch -p 2317
ausearch --start recent -p 2442 -i
ausearch --start recent -p 2450 --raw | aureport --file --summary
ausearch --start recent -p 2450 --raw | aureport --host --summary
       
#failed summary report
aureport -u --failed --summary -i

#Login Summary Report
aureport --login --summary -i

#list the rules
auditctl -l

#user specific details
ausearch --start today --loginuid 1002 --raw

#search for all failed users
ausearch --message USER_LOGIN --success no --interpret
ausearch -m USER_LOGIN -sv no 

#search for all actions performed by user
ausearch -ua 1010 -i
ausearch -ua cpuuser

#search for all actions performed by user between certain time
#possible values now, recent, today, yesterday, this-week, week-ago, this-month, this-year
#ts / --start start-date start-time
#te / --end end-date end-time
ausearch -ua root -ts yesterday -te now -i 
ausearch -ua root -ts 20/02/2019 06:00:00 -te 21/02/2019 09:00:00

#find modifications to user account
ausearch -m ADD_USER,DEL_USER,USER_CHAUTHTOK,ADD_GROUP,DEL_GROUP,CHGRP_ID,ROLE_ASSIGN,ROLE_REMOVE  -i

#all failed systemcall
ausearch --start yesterday --end now -m SYSCALL -sv no -i

#who edited a files
ausearch -f /etc/passwd

#search using keyword
ausearch -ts 01/01/19 -k audit

#read man ausearch for more details.
man ausearch

Full audit record types and event types

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-audit_record_types https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference#sec-Audit_Events_Fields

Raw
zaudit.rules.md

simple audit rules

-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa
-w /usr/lib/systemd/system/docker.service -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa
-w /etc/docker/daemon.json -p wa
-w /var/run/docker.sock -p wa -k dockersock
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=root_user_changes
-a always,exit -F arch=b32 -S execve -F euid=0 -F key=root_user_changes
-a always,exit -F arch=b64 -S execve -F euid>=1000 -F key=user_changes
-a always,exit -F arch=b32 -S execve -F euid>=1000 -F key=user_changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment