auditd
Last updated
Last updated
The Linux auditd system hooks deeply into the kernel, giving it highly granular access to events happening on the system. You can track when files are accessedβwhether that's executing a program, or just opening a file for reading or writing. More generally, auditd can track any system call (see /usr/include/asm/unistd_64.h
for a list of system call names), including matching specific system call arguments and error codes. There's even a hook for capturing user keystrokes, though whether this is a feature or a danger is in the eye of the beholder.
One of the beauties of auditd is that it works at the Linux kernel level, rather than at the user-mode level. This makes it much harder for attackers to subvert. On Red Hat-type systems, auditd comes installed and enabled by default. So, you'll find it already there on your CentOS machine. On Ubuntu, it won't be installed, so you'll have to do it yourself:
check to see whether any audit rules are in effect:
we want to see when someone changes the /etc/passwd file
the rule is only temporary and will disappear when we reboot the machine. To make it permanent, we need to create a custom rules file in the /etc/audit/rules.d/
directory. Then, when you restart the auditd daemon, the custom rules will be inserted into the /etc/audit/audit.rules file.
-D : This will cause all rules and watches that are currently in effect to be deleted so that we can start from a clean slate. So, if I were to restart the auditd daemon right now, it would read this audit.rules file, which would delete the rule that I just created.
-b 8192 : This sets the number of outstanding audit buffers that we can have going at one time. If all of the buffers get full, the system can't generate any more audit messages.
-f 1 : This sets the failure mode for critical errors, and the value can be either 0 , 1 , or 2 . -f 0 would set the mode to silent, meaning that auditd wouldn't do anything about critical errors. -f 1 , as we can see here, tells auditd to only report the critical errors, while -f 2 would cause the Linux kernel to go into panic mode. According to the auditctl man page, anyone in a high-security environment would likely want to change this to -f 2 . For our purposes, though, -f1 works.
You could use your text editor to create a new rules file in the /etc/audit/rules.d/ directory. Alternatively, you could just redirect the auditctl -l output into a new file, like this: