The auditctl program is used to control the behavior, get status, and add or delete rules into the kernel's auditd system.
If you are running a web server with sensitive data, you probably want to monitor which files are file accessed and what kind of activities are running in your server.
sudo apt-get install auditd
Once auditd is installed, you can configure it either:
- Command-line using
- Using the configuration file
I recommend using the configuration file, since it is easier to configure, backup and restore if there's any error.
Example configuration file
# first of all, reset the rules (delete all) -D # increase the buffers to survive stress events. make this bigger for busy systems. -b 1024 # monitor unlink() and rmdir() system calls. -a exit,always -S unlink -S rmdir # monitor open() system call by Linux UID 1001. -a exit,always -S open -F loginuid=1001 # monitor write-access and change in file properties (read/write/execute) of the following files. -w /etc/group -p wa -w /etc/passwd -p wa -w /etc/shadow -p wa -w /etc/sudoers -p wa # monitor read-access of the following directory. -w /etc/secret_directory -p r # lock the audit configuration to prevent any modification of this file. -e 2
sudo service auditd restart
The audit daemon will generate a log file:
/var/log/audit/audit.log. To search into the logs, you need to use the
ausearch. This will look for any unauthorized access.
For example, if you want to check if the
/etc/passwd has been accessed, you can run the following command:
sudo ausearch -f /etc/passwd
Error deleting rule
If you get the
Operation not permitted while trying to delete a rule, it is because audit is in immutable mod and no rules will be loaded. You can try to stop the service, but if this does not work, you will have to reboot the server. Modify the rules first, then reboot.
You can rotate daily logs for audit. The log is located in
/var/log/audit. You can simply create a cronjob with the following command in it:
sudo service auditd rotate
Other useful commands
You can search for events with a specific date and time. If the date is omitted, the current day is assumed. If the time is omitted, the current time is assumed. It is recommended to use 24-hour clock time rather than AM or PM to specify time.
ausearch -ts today -k password-file ausearch -ts 1/1/14 -k password-file
You can also search for an event matching the given executable name. You can accomplish this using
-x option. For example find out who has accessed /etc/passwd using rm command:
ausearch -ts today -k password-file -x rm ausearch -ts 1/1/14 -k password-file -x rm