Audit Linux system calls

    Theory


    For auditd to work, it is necessary that the kernel be compiled with the AUDIT and AUDITSYSCALL options. AUDIT is responsible for the overall audit subsystem in the Linux kernel, which SELinux also uses. AUDITSYSCALL is responsible for the system call audit framework, which is also used by SELinux. Key features of the audit system in the Linux kernel:
    $ grep AUDIT /boot/config-`uname -r`
    # CONFIG_AUDIT_ARCH is not set
    CONFIG_AUDIT=y
    CONFIG_AUDITSYSCALL=y
    CONFIG_AUDIT_TREE=y
    CONFIG_AUDIT_GENERIC=y



    • Minimum overhead, both with activated and disabled auditing
    • Filtering at the kernel level to ensure the lowest cost
    • Using Netlink in Custom Applications


    Installation


    Installing auditd is pretty simple, for Debian / Ubuntu:
    $sudo apt-get install auditd
    for CentOS:
    #yum install audit
    Project homepage: people.redhat.com/sgrubb/audit

    Customization


    Configuration file auditd /etc/audit/auditd.conf. On each line no more than one directive can be defined. The name of the directive and the value are separated by an equal sign. Most directives are responsible for setting up logging and do not require changes. For a detailed review, you can read man auditd.conf.

    Audit rules


    Audit rules are contained in the file /etc/audit/audit.rules.
    auditctl -l view the list of rules and auditctl -D to delete all rules

    File Access Audit

    Key arguments for file access audit rules:
    • -p [r | w | x | a] - filter by the nature of access
    • -w path - path to monitored files

    Add the rules in runtime for the / sys directory.
    sudo auditctl -w /sys/ -p ra
    Run skype and see the result:
    sudo aureport -f
    /sbin/audispd permissions should be 0750

    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 16.01.2011 22:42:04 /sys/class/video4linux/video0/dev 5 yes /usr/bin/skype -1 23
    2. 16.01.2011 22:42:03 /sys/devices/system/cpu 5 yes /usr/bin/skype -1 22
    3. 16.01.2011 22:42:04 /sys/class/video4linux/video0/device/modalias 5 yes /usr/bin/skype -1 24
    4. 16.01.2011 22:42:04 /sys/class/dmi/id/sys_vendor 5 yes /usr/bin/skype -1 25
    5. 16.01.2011 22:42:04 /sys/class/dmi/id/product_name 5 yes /usr/bin/skype -1 26
    6. 16.01.2011 22:42:04 /sys/class/dmi/id/product_version 5 yes /usr/bin/skype -1 27
    7. 16.01.2011 22:42:04 /sys/class/dmi/id/board_vendor 5 yes /usr/bin/skype -1 28
    8. 16.01.2011 22:42:04 /sys/class/dmi/id/board_name 5 yes /usr/bin/skype -1 29
    9. 16.01.2011 22:42:04 /sys/class/dmi/id/board_version 5 yes /usr/bin/skype -1 30


    Audit system calls

    The main attributes:
    • -a list, action and -A list, action adds the action rule to the end (-A to the beginning) of the list list. Available lists can be found in man auditctl. actions never does not generate an event, but always generates an event.
    • -S [Syscall name or number | all] - observed calls
    • -F [n = v | n! = v | nv | n <= v | n> = v | n & v | n & = v] various filters

    auditctl -a exit, always -S open -F success = 0 activates the audit of all open () calls with a return code greater than 0 and generating an event when the system call is exited. You can find out the name of a system call by number from include / linux / unistd.h.
    #auditctl -a exit,always -S open -F success=0
    # touch /tmp/foo
    # tail -1 /var/log/audit/audit.log
    type=SYSCALL msg=audit(1295200915.069:14977): arch=c000003e syscall=2 success=no exit=-2 a0=7ff2f0ad4f60 a1=0 a2=7ff2f0d05010 a3=7fff56687650 items=1 ppid=1915 pid=16551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="tail" exe="/usr/bin/tail" key=(null)


    Also popular now: