AuditD Config

🔒 Unlocking the Secrets of Digital Fortresses for your Unix. This is just my way to get into the topic of AuditD by writing my own one.

For a production usages, better use the config from Florian Roth which adapts best practices based on multiple companies/sources Neo23x0/auditd

What is AuditD?

AuditD is the user space component of the Linux Auditing System, an in-built feature of the Linux kernel that allows systems administrators to monitor and track security-relevant information, ensuring system integrity and compliance with various regulations. It is designed to integrate with SELinux (Security-Enhanced Linux), which enforces security policies including Mandatory Access Controls (MAC). When certain system calls are invoked, AuditD logs this activity according to rules defined by the administrator, providing a reliable trail that can be inspected in the event of a security incident.

The audit daemon is configured via the auditd.conf file, typically located at /etc/audit/auditd.conf. This configuration file allows the administrator to set parameters such as the maximum size of the log file, the action to take when the log is full (e.g., rotate the log or halt the system), and the location of the log file. Administrators can also define the rate at which messages are sent to the audit log to prevent flooding the system with monitoring messages, which could potentially impact performance.

AuditD collects data by hooking into the Linux kernel audit framework, which intercepts system calls and generates audit records. These records are then passed to AuditD, which processes them and writes them to the audit log. The data captured includes system calls made by users and processes, manipulations of files and directories, and changes to user accounts and group memberships. This breadth of captured data makes AuditD a powerful tool for monitoring system activity and diagnosing system breaches.

The audit log is stored by default in the/var/log/audit/ directory, within a file named audit.log. However, the location can be customized in the auditd.conf file. Each entry in the audit log is made up of several fields, including an event identifier, a timestamp, the user identity (UID), the event type, the success or failure of the event, and other information pertinent to the event such as the command run or the file accessed. The aureport command is a utility that generates reports from the audit daemon logs. It extracts information from the audit logs in a summarized format, making it easier for an administrator to review and analyze. For example, aureport -a provides a list of audit event summaries related to executable files, while aureport -l shows a list of all login-related events.

The ausearch command is another utility for searching the audit logs. Unlike aureport, which generates summary reports, ausearch allows for searching specific details in the audit logs based on different search criteria like event time, user IDs, event types, and more. For example: ausearch -m LOGIN -ui 1000 would search for all login events generated by the(privileged) user with UID 1000.

The audit.rules file, typically located at /etc/audit/audit.rules, is where the administrator defines what actions to capture. When the AuditD service starts, it reads this file to determine what events to monitor. Good rules to capture often include file access and changes to critical system files, changes to user/group information, and usage of privileged commands. Rules can be made as broad or as specific as required, allowing a granular level of control over what information is logged.

Creating the audit.rules file requires a good understanding of the system and its security needs. It should be configured to capture enough information to be helpful for security audits without overwhelming the system or administrators with too much data. Rules should be tested to ensure they capture the required information and do not generate excessive false positives that could hide true security concerns.

In conclusion, AuditD is a crucial tool in the arsenal of a Linux system administrator. It provides a robust framework for monitoring system activity that is critical for security and compliance. Properly configuring and maintaining the AuditD service and its associated components ensures that valuable information is captured and stored securely, providing a key resource for understanding system events and detecting potential security incidents.

AuditD baseline

The latest and (automated) tested can be found here: BenjiTrapp/auditd-rules

Maybe outdated but good baseline version for quick copy&paste can be found below:

# This file contains the auditctl rules that are loaded  whenever the audit daemon is started via the initscripts.
#
# 
#  █████╗ ██╗   ██╗██████╗ ██╗████████╗██████╗ 
# ██╔══██╗██║   ██║██╔══██╗██║╚══██╔══╝██╔══██╗
# ███████║██║   ██║██║  ██║██║   ██║   ██║  ██║
# ██╔══██║██║   ██║██║  ██║██║   ██║   ██║  ██║
# ██║  ██║╚██████╔╝██████╔╝██║   ██║   ██████╔╝
# ╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═╝   ╚═╝   ╚═════╝ 
#                    Harden your Unix                           
# 
#
# Created: 21.10.2023
#
# Compiled by Der Benji (nyctophobia@protonmail.com)


# First rule - delete all
-D

# ignore errors when reading rules from a file
-i
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192

# Ignore current working directory records
#-a always,exclude -F msgtype=CWD

# filter
# 4294967295 is just (unsigned long) -1. -1 means that loginuid was not set. This is normal behavior for processes that were not spawned by any login process (e.g. for daemons). loginuid is -1 by default; pam_loginuid module changes it to your user id whenever you login (in a tty/in DM/via ssh), and this value is preserved by child processes.
# https://stackoverflow.com/questions/22914627/some-uids-in-proc-pid-loginuid-are-strange
-a always,exclude -F msgtype=USER_AUTH -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=USER_ACCT -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=CRED_ACQ  -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=CRED_DISP -F auid=4294967295 -F uid=processing
-a always,exclude -F msgtype=SECCOMP
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a always,exclude -F msgtype=CRED_DISP
-a always,exclude -F msgtype=CRED_REFR
-a always,exclude -F msgtype=USER_END
-a always,exclude -F msgtype=CRED_ACQ
-a always,exclude -F msgtype=CONFIG_CHANGE -F auid=0 -F uid=0
-a always,exclude -F msgtype=USER_ACCT -F auid=0 -F uid=0
-a always,exclude -F msgtype=USER_ACCT -F auid=-1 -F uid=0
-a always,exclude -F msgtype=LOGIN -F auid=0 -F uid=0


## Exclude Cron
-a never,user -F subj_type=crond_t
-a never,exit -F subj_type=crond_t
-a never,exit -F exe=/usr/sbin/cron -F success=0

#Special case git, exclude
-a never,exit -F dir=/lib64/libcap.so.2 -F exe=/usr/sbin/sshd -k exclude_SSH
-a never,exit -F dir=/lib64/librt.so.1 -F exe=/usr/sbin/sshd -k exclude_SSH
-a never,exit -F exe=/usr/bin/ps -F uid!=0
-a never,exit -F exe=/opt/gitlab/embedded/bin/git
-a never,exit -F exe=/opt/gitlab/embedded/bin/gitaly-hooks
-a never,exit -F exe=/opt/gitlab/embedded/libexec/git-core/git
-a never,exit -F exe=/opt/gitlab/embedded/bin/gitaly-git-v2.35.1.gl1
-a never,exit -F exe=/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
-a never,exit -F exe=/opt/gitlab/embedded/bin/gitaly-git2go-v14
-a never,exit -F exe=/opt/gitlab/embedded/bin/ruby

# Exclude SSH from audit
-a never,exit -F exe=/usr/sbin/sshd -k exclude_SSH

# Exclude specific system binaries from audit
-a never,exit -F exe=/usr/bin/ps -F uid!=0


# Exclude Amazon logs 
-a never,exit -F arch=b32 -F dir=/var/log/amazon -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs
-a never,exit -F arch=b64 -F dir=/var/log/amazon -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs

## This prevents chrony from overwhelming the logs
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b64 -S TIME_ADJNTPVAL -F auid=unset -F uid=chrony
-a exclude,always -F msgtype=TIME_ADJNTPVAL
 


# command executions from Users only 
-a always,exit -F arch=b64 -S execve,execveat -F uid!=0  -k exec 
-a always,exit -F arch=b32 -S execve,execveat  -F uid!=0 -k exec

# Identifies the deletion of sensitive Linux system logs
-a always,exit -F arch=b32 -F dir=/var/run -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs
-a always,exit -F arch=b32 -F dir=/var/log -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs
-a always,exit -F arch=b64 -F dir=/var/run -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs
-a always,exit -F arch=b64 -F dir=/var/log -S unlink -S unlinkat -S rename -S renameat  -S rmdir -S truncate -k logs

#Adversaries may modify SSH related binaries
-w /usr/sbin/ -p wa -k SSH
-w /usr/bin/ssh -p wa -k SSH
-w /usr/bin/sftp -p wa -k SSH
-w /usr/bin/scp -p wa -k SSH


## Kernel module loading and unloading
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules


# Exclude for curl that writes a lot to /etc/pki/
-a never,exit -F arch=b64  -F dir=/etc/pki -F exe=/usr/bin/curl -k exclude_file
-a never,exit -F arch=b32  -F dir=/etc/pki -F exe=/usr/bin/curl -k exclude_file
## All changes under /etc/
-w /etc/ -p wa  -k config_changes

## SSH
-a always,exit -F dir=/usr/ -F perm=wa -F exe=/usr/bin/ssh -k SSH
-a always,exit -F dir=/usr/ -F perm=wa -F exe=/usr/sbin/sshd -k SSH


## Injection
### These rules watch for code injection by the ptrace facility.
### This could indicate someone trying to do something bad or just debugging
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b32 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -k tracing
-a always,exit -F arch=b32 -S process_vm_readv -k process_memory_reading
-a always,exit -F arch=b64 -S process_vm_readv -k process_memory_reading
-a always,exit -F arch=b32 -S process_vm_writev -k process_memory_writing
-a always,exit -F arch=b64 -S process_vm_writev -k process_memory_writing


## 32bit API Exploitation
### If you are on a 64 bit platform, everything _should_ be running
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
### because this might be a sign of someone exploiting a hole in the 32
### bit API.
-a always,exit -F arch=b32 -S all -k 32bit_api

### Unauthorized Access (unsuccessful)
# This can produce a lot of logs.
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM  -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES  -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM  -F auid!=-1 -k file_access

## Process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc

## Power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

# Systemd
#-w /bin/systemctl -p x -k systemd

## Passwd
-w /usr/bin/passwd -p x -k passwd_modification

## Tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/userdel -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

### Local time zone
-w /etc/localtime -p wa -k localtime

## Stunnel
-w /usr/sbin/stunnel -p x -k stunnel
-w /usr/bin/stunnel -p x -k stunnel

## Suspicious activity
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/scp -p x -k susp_activity
-w /usr/bin/sftp -p x -k susp_activity
-w /usr/bin/ftp -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/tshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /usr/bin/telnet -p x -k susp_activity
-w /usr/bin/hping3 -p x -k susp_activity
-w /usr/bin/strace -p x -k susp_activity
-w /usr/bin/mknod -p x -k susp_activity
-w /usr/sbin/setenforce -p x -k susp_activity



## root ssh key tampering
-w /root/.ssh -p wa -k rootkey

## Reconnaissance
-w /usr/bin/whoami -p x -k recon


## Sbin suspicious activity
-w /sbin/iptables -p x -k sbin_susp
-w /sbin/ip6tables -p x -k sbin_susp
-w /sbin/ifconfig -p x -k sbin_susp
-w /usr/sbin/arptables -p x -k sbin_susp
-w /usr/sbin/ebtables -p x -k sbin_susp
-w /sbin/xtables-nft-multi -p x -k sbin_susp
-w /usr/sbin/nft -p x -k sbin_susp
-w /usr/sbin/tcpdump -p x -k sbin_susp
-w /usr/sbin/traceroute -p x -k sbin_susp
-w /usr/sbin/ufw -p x -k sbin_susp
-w /usr/sbin/firewalld -p x -k sbin_susp
-w /usr/sbin/rsyslogd -p x -k sbin_susp
-w /usr/sbin/syslog-ng -p x -k sbin_susp
-w /usr/sbin/syslog -p x -k sbin_susp


# Priv Escalation Related Events
-w /etc/sudoers -p rw -k T1169_Sudo
-a always,exit -F arch=b64 -S chmod        -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid1
-a always,exit -F arch=b64 -S chown        -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid2
-a always,exit -F arch=b64 -S fchmod       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid3
-a always,exit -F arch=b64 -S fchmodat     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid4
-a always,exit -F arch=b64 -S fchown       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid5
-a always,exit -F arch=b64 -S fchownat     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid6
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid7
-a always,exit -F arch=b64 -S fsetxattr    -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid8
-a always,exit -F arch=b64 -S lchown       -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid9
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid10
-a always,exit -F arch=b64 -S lsetxattr    -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid11
-a always,exit -F arch=b64 -S removexattr  -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid12
-a always,exit -F arch=b64 -S setxattr     -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid13
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exe!=/usr/sbin/crond -F exe!=ssm-session-worker -k T1166_Seuid_and_Setgid14
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1166_Seuid_and_Setgid15
-w /usr/bin -p wa -k T1068_Exploitation_for_Privilege_Escalation


# command executions from root only from auid != 0 --> sudo su 
-a always,exit -F arch=b64 -S execve,execveat -F auid!=0 -F auid!=-1 -F uid=0 -k exec 
-a always,exit -F arch=b32 -S execve,execveat  -F auid!=0 -F auid!=-1 -F uid=0 -k exec

# Make the Audit Configuration Immutable
-e 2

## Set failure mode to syslog
-f 1
Written on October 21, 2023


◀ Back to Defense related posts