Audit Linux system calls
Theory
For auditd to work, it is necessary that the kernel be compiled with the AUDIT and AUDITSYSCALL options. AUDIT is responsible for the overall audit subsystem in the Linux kernel, which SELinux also uses. AUDITSYSCALL is responsible for the system call audit framework, which is also used by SELinux. Key features of the audit system in the Linux kernel:
$ grep AUDIT /boot/config-`uname -r`
# CONFIG_AUDIT_ARCH is not set
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y
CONFIG_AUDIT_GENERIC=y
- Minimum overhead, both with activated and disabled auditing
- Filtering at the kernel level to ensure the lowest cost
- Using Netlink in Custom Applications
Installation
Installing auditd is pretty simple, for Debian / Ubuntu:
$sudo apt-get install auditd
for CentOS:
#yum install audit
Project homepage: people.redhat.com/sgrubb/audit
Customization
Configuration file auditd /etc/audit/auditd.conf. On each line no more than one directive can be defined. The name of the directive and the value are separated by an equal sign. Most directives are responsible for setting up logging and do not require changes. For a detailed review, you can read man auditd.conf.
Audit rules
Audit rules are contained in the file /etc/audit/audit.rules.
auditctl -l view the list of rules and auditctl -D to delete all rules
File Access Audit
Key arguments for file access audit rules:
- -p [r | w | x | a] - filter by the nature of access
- -w path - path to monitored files
Add the rules in runtime for the / sys directory.
sudo auditctl -w /sys/ -p ra
Run skype and see the result:
sudo aureport -f
/sbin/audispd permissions should be 0750
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16.01.2011 22:42:04 /sys/class/video4linux/video0/dev 5 yes /usr/bin/skype -1 23
2. 16.01.2011 22:42:03 /sys/devices/system/cpu 5 yes /usr/bin/skype -1 22
3. 16.01.2011 22:42:04 /sys/class/video4linux/video0/device/modalias 5 yes /usr/bin/skype -1 24
4. 16.01.2011 22:42:04 /sys/class/dmi/id/sys_vendor 5 yes /usr/bin/skype -1 25
5. 16.01.2011 22:42:04 /sys/class/dmi/id/product_name 5 yes /usr/bin/skype -1 26
6. 16.01.2011 22:42:04 /sys/class/dmi/id/product_version 5 yes /usr/bin/skype -1 27
7. 16.01.2011 22:42:04 /sys/class/dmi/id/board_vendor 5 yes /usr/bin/skype -1 28
8. 16.01.2011 22:42:04 /sys/class/dmi/id/board_name 5 yes /usr/bin/skype -1 29
9. 16.01.2011 22:42:04 /sys/class/dmi/id/board_version 5 yes /usr/bin/skype -1 30
Audit system calls
The main attributes:
- -a list, action and -A list, action adds the action rule to the end (-A to the beginning) of the list list. Available lists can be found in man auditctl. actions never does not generate an event, but always generates an event.
- -S [Syscall name or number | all] - observed calls
- -F [n = v | n! = v | n
v | n <= v | n> = v | n & v | n & = v] various filters
auditctl -a exit, always -S open -F success = 0 activates the audit of all open () calls with a return code greater than 0 and generating an event when the system call is exited. You can find out the name of a system call by number from include / linux / unistd.h.
#auditctl -a exit,always -S open -F success=0
# touch /tmp/foo
# tail -1 /var/log/audit/audit.log
type=SYSCALL msg=audit(1295200915.069:14977): arch=c000003e syscall=2 success=no exit=-2 a0=7ff2f0ad4f60 a1=0 a2=7ff2f0d05010 a3=7fff56687650 items=1 ppid=1915 pid=16551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="tail" exe="/usr/bin/tail" key=(null)