Audit rules for monitoring Copy, move, delete and kill Commands In Linux

System auditing with auditd

System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.

One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files.

By default, there are no rules that are configured. We need to write our rules in the /etc/audit/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Installing Auditd

Now that we somewhat understand what auditd is about, let’s go ahead and get working with auditd with the preceding use case:

1. Install the auditd packages. The auditd packages are a part of the default installation CentOS 7 systems. We can verify it with the following command:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64
audit-libs-python-2.6.5-3.el7_3.1.x86_64

2. If the package is not a part of our system, we can go ahead and install it:

# yum install audit

3. Make sure that the audit daemon is running. We will use the following command:

# systemctl status auditd
 auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
 vendor preset: enabled)
    Active: active (running) since Wed 2018-10-24 04:33:48 UTC; 4min
 21s ago
    Docs: man:auditd(8)
          https://people.redhat.com/sgrubb/audit/
    Process: 425 ExecStartPost=/sbin/augenrules --load (code=exited,
  status=0/SUCCESS)
 Main PID: 424 (auditd)
     CGroup: /system.slice/auditd.service
            └─424 /sbin/auditd -n

Since we have an audit daemon up and running, lets see how we can use auditd to achieve all 4 of the use cases.

Auditd Rules for Copy, move, delete and kill Commands

1. Take a backup of the existing configuration file (auditd rules):

# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp

2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent:

# vi /etc/audit/audit.rules
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File

# Audit shutdown & Reboot command
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot

# Audit mount unmount commands
-a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device
-a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device

# Kill Process
-a exit,always -F arch=b64 -S kill -k Kill_Process

3. Restart the auditd service to apply the changes.

# service auditd restart

4. List the added rules, to verify these are correct:

# auditctl -l
Note: bash (and many other shells) has a built-in “kill” command which doesn’t actually run /usr/bin/kill. So if the built-in command is run instead, comm=bash is correct. There is no way to force the system to use the /usr/bin/kill external program. comm=kill is not going to happen in all cases, because shells can call the syscall directly without running the external program named “kill”
Related Post