In this tutorial, we will see how to define audit File System Rules in RHEL/CentOS/Rocky Linux. By this time you must have understood that Audit system operates on a set of rules that define what it is to be captured in the log. There are three types of audit rules - Control Rules, File System Rules and System Call Rules. Till now we have seen how to define Audit Control rules. Now it is time to see about second type of audit rule which is File System Rules. Here we will see how to define Audit file system rules with the help of detailed examples. More on RHEL documentation.
How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux
All the rules that we write follows below syntax if we are defining it through
auditctl utility. You also have the option to define the rules through
audit.rules file. In that case, you just need to remove the auditctl from below syntax to add the rules. This will be further clarified as we move on below.
rootuser to run all the below commands. You can use any user with
sudoaccess to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide
sudoaccess to the User.
auditctl -w <file_path> -p <permissions> -k <key_name>
file_path -> file/directory to be audited
permissions -> r(read), w(write), x(execution), a(attribute change)
key_name -> any custom keyword (optional)
1. File system rules
a) To audit
/etc/hosts file for any write access or any attribute changes to it, add below rule. It will get added in the audit log file whenever this rule is executed. We have also added a custom key to make the search easy in
-w /etc/hosts -p wa -k host_file_changed
b) To audit all the files inside
/etc/audit/ directory for any write, read access or any attribute changes to it, add below rule:-
-w /etc/audit/ -p war -k audit_dir_changed
c) To audit the execution of
/sbin/modprobe command which is responsible for adding/removing kernel modules from the server, add below rule:-
-w /sbin/insmod -p x -k module_updated
2. Working Demonstration of Rules Added
We will add above rules in
audit.rules file to make it persistence.
[root@cyberithub ~]# cd /etc/audit/rules.d/ [root@cyberithub rules.d]# vi audit.rules [root@cyberithub rules.d]# cat audit.rules ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## Set failure mode to syslog -f 1 -w /etc/hosts -p wa -k host_file_changed -w /etc/audit/ -p wa -k audit_dir_changed -w /sbin/insmod -p x -k module_updated
As you see, we have added the rules. Next, restart the auditd service to make the rules persistence.
[root@cyberithub rules.d]# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service
Next, we will validate if our rules are working by making changes to the files which have added for auditing. Edit
/etc/hosts file to add a dummy IP so that it gets captured in the
[root@cyberithub rules.d]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 188.8.131.52 Destination
Check the audit log now. If you are not too sure about the path where audit log gets generated, check the
auditd.conf file where default log path is mentioned.
[root@cyberithub audit]# pwd /etc/audit [root@cyberithub audit]# ll total 20 -rw-r-----. 1 root root 805 Aug 8 2019 auditd.conf -rw-r-----. 1 root root 203 Jan 24 21:00 audit.rules -rw-r-----. 1 root root 81 Jan 24 21:00 audit.rules.prev -rw-r-----. 1 root root 127 Aug 8 2019 audit-stop.rules drwxr-x---. 2 root root 4096 Jan 24 20:54 rules.d [root@cyberithub audit]# grep log auditd.conf write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = RAW max_log_file = 8 num_logs = 5 max_log_file_action = ROTATE
We need to grep the custom key that we have added in the rule to ease the search in the generated audit log file.
[root@cyberithub audit]# grep -ri "host_file_changed" /var/log/audit/audit.log type=CONFIG_CHANGE msg=audit(1643038201.729:81615): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="host_file_changed" list=4 res=1 type=CONFIG_CHANGE msg=audit(1643038788.852:82013): auid=1001 ses=46 op=updated_rules path="/etc/hosts" key="host_file_changed" list=4 res=1 type=SYSCALL msg=audit(1643038788.852:82014): arch=c000003e syscall=82 success=yes exit=0 a0=2523740 a1=253d520 a2=fffffffffffffe80 a3=7ffe53f6e520 items=4 ppid=16513 pid=19742 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=46 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="host_file_changed"
Similarly, any number of rules can be added for auditing by audit system based on our requirement.
3. Additional Information
For the beginners, it might get confusing when it comes to adding the rules in audit rule file. Let’s look at the audit file tree first.
[root@cyberithub ~]# cd /etc/audit/
When we list the files/folder inside audit directory, we will notice an
[root@cyberithub audit]# ll total 8 -rw-r-----. 1 root root 122 Jan 23 10:37 audit.rules drwxr-x---. 2 root root 4096 Jan 23 10:45 rules.d
When we further switch to
rules.d directory, there is a file with same name
audit.rules. So the question is where do we exactly add the audit rules ?
Well the answer is, we add the rules in
audit.rules file which is inside
rules.d directory. Once we add the rule and reboot the server or restart the auditd service,
audit.rules file inside audit directory will automatically gets generated (if not already present) and same rules will be replicated here.
[root@cyberithub audit]# cd rules.d/ [root@cyberithub rules.d]# ll total 4 -rw-------. 1 root root 203 Jan 23 10:35 audit.rules