Audit of system calls in Linux
Theory
For auditd to work, it is necessary that the kernel be compiled with the AUDIT and AUDITSYSCALL options.
$ grep AUDIT /boot/config-`uname -r`
# CONFIG_AUDIT_ARCH is not set
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y
CONFIG_AUDIT_GENERIC=yAUDIT is responsible for the general audit subsystem in the Linux kernel, which SELinux also uses. AUDITSYSCALL is responsible for the system call audit infrastructure, which is also used in SELinux.
The main features of the audit system in the Linux kernel:
- Minimum overhead, both with activated and disabled auditing
- Kernel-level filtering for the lowest cost
- Using Netlink in custom applications
Installation
Installing auditd is quite simple, for Debian / Ubuntu:
$sudo apt-get install auditdfor CentOS:
#yum install auditProject home page: people.redhat.com/sgrubb/audit
Customization
Configuration file auditd /etc/audit/auditd.conf. Each line may contain no more than one directive. The name is direct and the value separates the equal sign. Most directives are responsible for setting up logging and do not require changes. For more information you can read man auditd.conf.
Audit rules
Audit rules are contained in the /etc/audit/audit.rules file.
auditctl -l view the list of rules and auditctl -D to delete all rules
')
File Access Audit
The main arguments for file access audit rules are:
- -p [r | w | x | a] - filter by access character
- -w path - path to monitored files
Add rules to the runtime for the / sys directory
sudo auditctl -w /sys/ -p raRun skype and see the result:
sudo aureport -f
/sbin/audispd permissions should be 0750
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16.01.2011 22:42:04 /sys/class/video4linux/video0/dev 5 yes /usr/bin/skype -1 23
2. 16.01.2011 22:42:03 /sys/devices/system/cpu 5 yes /usr/bin/skype -1 22
3. 16.01.2011 22:42:04 /sys/class/video4linux/video0/device/modalias 5 yes /usr/bin/skype -1 24
4. 16.01.2011 22:42:04 /sys/class/dmi/id/sys_vendor 5 yes /usr/bin/skype -1 25
5. 16.01.2011 22:42:04 /sys/class/dmi/id/product_name 5 yes /usr/bin/skype -1 26
6. 16.01.2011 22:42:04 /sys/class/dmi/id/product_version 5 yes /usr/bin/skype -1 27
7. 16.01.2011 22:42:04 /sys/class/dmi/id/board_vendor 5 yes /usr/bin/skype -1 28
8. 16.01.2011 22:42:04 /sys/class/dmi/id/board_name 5 yes /usr/bin/skype -1 29
9. 16.01.2011 22:42:04 /sys/class/dmi/id/board_version 5 yes /usr/bin/skype -1 30System call audit
Key attributes:
- -a list, action and -A list, action adds an action rule to the end (-A to the beginning) of the list. You can read about available lists in man auditctl. Actions never does not generate an event, and always creates an event.
- -S [Syscall name or number | all] - watched calls
- -F [n = v | n! = v | n <v | n> v | n <= v | n> = v | n & v | n & = v] all sorts of filters
auditctl -a exit, always -S open -F success = 0 activates the audit of all open () calls with a return code less than 0 and generating an event during the exit from the system call.
#auditctl -a exit,always -S open -F success=0
# touch /tmp/foo
# tail -1 /var/log/audit/audit.log
type=SYSCALL msg=audit(1295200915.069:14977): arch=c000003e syscall=2 success=no exit=-2 a0=7ff2f0ad4f60 a1=0 a2=7ff2f0d05010 a3=7fff56687650 items=1 ppid=1915 pid=16551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="tail" exe="/usr/bin/tail" key=(null)You can find the name of the system call by number from include / linux / unistd.h.
Source: https://habr.com/ru/post/111968/
All Articles