How to monitor events on your Linux data center servers with auditd

With the help of auditd you can monitor events on your Linux servers even easier.

Image: Jack Wallen

The Linux Auditing System is an outstanding way for sysadmins to create a log rule for nearly every action on a data center server. Using this system means you can track events, record the events, and even detect abuse or unauthorized activity, via the log files. The audit daemon (auditd) allows you to choose, which actions on the server to monitor (as opposed to monitoring everything) and does not interfere with the standard logging tools (such as syslog).

The one caveat to auditd is that it does not actually add any additional security to your system. Instead, it provides the means for you to keep track of any violation that occurs on a server so that you can then take action against the abuse.

With this tool, administrators can keep tabs on any number of systems and services by creating rules via the command line. Auditd operates at the kernel level, so you have access to auditing any service you want. The auditd system is available for most Linux distributions, but I will demonstrate its usage on Ubuntu Server 18.04.

SEE: Disaster recovery and business continuity plan (Tech Pro Research)

What you need

The only thing you need is a Linux server (or desktop, if you prefer) and a user account with sudo privileges. With those at the ready, let's see how auditd works.

Installation

Auditd is, most likely, already installed on your machine. On the off-chance it is not, you can install it with the command:

sudo apt-get install auditd -y

Once installed, make sure to start and enable the system with the commands:

sudo systemctl start auditd
sudo systemctl enable auditd

Configuring auditd

The configuration of auditd is handled in a single file (whereas rules are handled in a completely separate file). Although the default should suffice for most needs, you can configure the system by issuing the command:

sudo nano /etc/audit/audit.conf

In that file you might want to configure the following entries:

  • The location of the log file is configured in the line log_file = /var/log/audit/audit.log.
  • The number of logs to be retained on the server is configured in the entry num_logs = 5.
  • Configure the maximum log file size (in MB) in the line max_log_file = 8.

If you do make any changes to that configuration, you'll need to restart auditd with the command:

sudo systemctl restart auditd

Creating a rule

The first thing to do is check to make sure you're starting with a clean slate. Issue the command:

sudo auditctl -l

The above command should display that there are no rules (Figure A).

Figure A

Figure A: We have a clean slate for auditd.

Let's create a rule that will monitor both /etc/passwd and /etc/shadow for any changes. What we want is to create rules that will monitor a specific path and watch for changes in the write permission attribute of that file. In other words, if a malicious user changes the write permissions on the passwd and shadow files it will be logged. To do this, we'll issue the command:

sudo nano /etc/audit/rules.d/audit.rules

At the bottom of that file, add the following two lines:

-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd

The breakdown of the above lines looks like this:

  • -w is the path to watch.
  • -p is the permissions to monitor.
  • -k is the keyname for the rule.

As to the permissions, it's somewhat similar to standard Linux, with one addition:

  • r - read
  • w - write
  • x - execute
  • a - change in the file's attribute (either ownership or permissions)

In our example, we want to watch the write permissions (w) of the files for any change in the attribute (a), so our permission would be wa.

Once we've added the two new rules, save and close the file and then restart auditd with the command:

sudo systemctl restart auditd

You should now be able to see the new rules listed (Figure B), by issuing the command:

sudo auditctl -l
Figure B

Figure B: Our new rules are in place.

Viewing the auditd log file

You can view every entry in the auditd log file by issuing the command:

less /var/log/audit/audit.log

You will quickly find the file to be jam-packed with entries. There has to be an easier way. Fortunately, there is. Because we've included keynames in our rules, we can use a built-in auditd search tool to view only the entries that include either the passwd or shadow keynames. To view any entry that contains the passwd keyname, issue the command:

ausearch -k passwd

You should see any entry listed, which contains the specified keyname (Figure C).

Figure C

Figure C: The passwd keyname shows two entries so far.

Say you add a new user (with the sudo adduser command). Because you'll be required to create a password entry for that user (which is written to /etc/passwd), it will come up in our ausearch -k passwd search command (Figure D).

Figure D

Figure D: A new password has been created for a new user and logged with auditd.

The ausearch tool is incredibly powerful. To find out more about its usage, make sure to read through the man page with the command man ausearch.

And that's the gist of using auditd on your data center Linux servers. You now have the means to keep tabs on nearly any system or service you need to watch.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.