top of page
Writer's pictureroacommabanktercre

Linux: How To Audit Files 



-w: specify the file you want to audit/watch.-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword




Linux: how to audit files 




3. Please note that changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts. To make changes persistent, add them to the /etc/audit/audit.rules file and, if they are not currently loaded into audit, restart the auditd service to load the modified rule set.


While searching for data has its purpose, reporting is a second useful goal. The aureport utility comes in handy and extracts all data from the file. It will then present the system administrator or auditor with the related information. This information varies from configuration changes (to the audit daemon) up to the amount of failed system calls (syscalls).


Audit rules are defined in the /etc/audit/audit.rules file. Custom audit rules are defined in the /etc/audit/rules.d/custom.conf file. Audit rules defined in files are persistent. Rules can also be implemented at runtime.


-a - Add a new rule-w - Insert a watch for the file system object at a specific path, for example, /etc/shadow.-p- Set permissions filters for a file system.-k - Set a filter key on an audit rule. The filter key uniquely identifies the audit records produced by a rule.-F - Use this field to specify additional options such, as architecture, PID, GID, auid, and so on.-S - Is a system call. This is a name or number.


Note: It's a best practice to use the service command instead of the systemctl command in CentOS and RHEL 7 when restarting the auditd service. Using the systemctl command might cause errors.


If you are running a mission critical web server, or maintaining a storage server loaded with sensitive data, you probably want to closely monitor file access activities within the server. For example, you want to track any unauthorized change in system configuration files such as /etc/passwd.


To monitor who changed or accessed files or directories on Linux, you can use the Linux Audit System which provides system call auditing and monitoring. In the Linux Audit System, a daemon called auditd is responsible for monitoring individual system calls, and logging them for inspection.


Once you installed auditd, you can configure it by two methods. One is to use a command-line utility called auditctl. The other method is to edit the audit configuration file located at /etc/audit/audit.rules. In this tutorial, I will use the auditd configuration file.


Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.


The kernel uses system calls, or syscalls for short. These are specific functions, which perform a low-level system function. Think of activities like reserving a memory section, or in this case opening a file from disk. The first utility to provide insights in active syscalls, is the strace utility. By tracking the right system call, we can see exactly what files are opened while it happens. Great for tracking required file access, dependencies, and troubleshooting purposes.


It will do nothing for a while and suddenly it shows up. It looks in several common cron related files (like /etc/crontab and /etc/cron.d). The __xstat function in this case monitors the files and tries avoiding opening each of them, unless it file meta information changed (e.g. modification date). The output suddenly looks different:


The Linux audit framework is a great alternative to strace, but might be less friendly to configure. Especially on a system which already has watches going on, you might want to skip inserting a few test rules. In that case use strace instead.


The praudit command enables you to view the contentsof binary audit files. You can pipe the output from the auditreduce command,or you can read a particular audit file. The -x option isuseful for further processing.


  • Temporary Audit Files are not being written into the Auditing Database.

  • Large amount of files gets left behind in the folder %DefaultAuditingDir%, default location is:

  • Windows: \SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\Auditing

  • Linux/unix: /sap_bobj/data/Auditing



*id*uuid**name**description**type**statusgroupscreatorversioncontextfilenameoriginalFilenamecreatedTimemodifiedTimelastRefreshedTimecanUsecanManageauditFileTemplatetypeFields


*id*uuid**name**description**type**statusgroupscreatorversioncontextfilenameoriginalFilenamecreatedTimemodifiedTimelastRefreshedTimecanUsecanManageauditFileTemplatetypeFields


NOTE #1: This does not modify the template variables. If the latest template has different variables, the user must call /auditFile/id::PATCH.NOTE #2: AuditFiles not based on templates or based on templates that no longer exist (likely due to deprication) will generate an error.


What I can't figure out is however: how to set up audit daemon so that it logs access (read/write) to ALL files within a folder structure (for example /home and all subfolders and files within) ONLY for a given user id.


So that if I had a user "bob" with user ID 2053 I would know every file they ever attempted to open or read on filesystem. I am not interested about access to these files by system services or any other user.


this will track all file open operations for the user with uid=1000, on all the filesystem; beware that if you run it on an user with a graphical session, this will generate HEAPS of logs, for instance stuff (unwanted, I guess) like:


The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system.


Audit can be enabled at boot-time by setting audit=1 as kernel parameter. This will ensure that all processes that run before the audit daemon starts are marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit. See auditd(8).


Before adding rules, you must know that the audit framework can be very verbose and that each rule must be carefully tested before being effectively deployed. Indeed, just one rule can flood all your logs within a few minutes.


The most basic use of the audit framework is to log the access to the files you want.To do this, you must use a watch -w to a file or a directoryThe most basic rule to set up is to track accesses to the passwd file :


Keep in mind that each audit rule added will generate logs, so you must be ready to treat this amount of information.Basically, each security-related event/file must be monitored, like ids, ips, anti-rootkits etc.On the other side, it is totally useless to track every write syscall, the smallest compilation will fill your logs with this event.


This argument must include both a path (drive letter or network share) and a file name that can include a wildcard. A single asterisk (*) can be used to collect multiple files from an audit file set. For example:


This argument is used to specify a blob URL (including the storage endpoint and container). While it doesn't support an asterisk wildcard, you can use a partial file (blob) name prefix (instead of the full blob name) to collect multiple files (blobs) that begin with this prefix. For example:


Selecting rows from sys.fn_get_audit_file within a Create Table As Select (CTAS) or INSERT INTO is a limitation when running on Azure Synapse Analytics. Although the query completes successfully and no error messages appear, there are no rows present in the table created using CTAS or INSERT INTO.


The Linux Audit system provides fine-grained logging of security-related events, known as Linux audit logs.It is enabled by creating Linux auditing rules that specify which events to log.For example, you can add rules to audit:


For more information about the audit system, see System Auditing in the Red Hat Enterprise Linux Security Guide, your operating system manual, and the Linux Audit Documentation Project repository on GitHub.


The Linux Audit system generates events according to Audit rules.These rules can be set dynamically with the auditctl utility or stored persistently in the /etc/audit/rules.d folder.Persistent rule files are automatically compiled to /etc/audit/audit.rules when auditd is initialized.


The configuration below uses the im_uds input module to collect logs from the dev/log socket.The Exec block filters for messages containing the string audit_syslog and parses matching messages with the parse_syslog_bsd() procedure of the xm_syslog module.Finally, it converts records to JSON format using the to_json() procedure of the xm_json module.


NXLog Enterprise Edition includes the im_linuxaudit input module, which directly accesses the kernel component of the Linux Audit system.With this module, you can configure audit rules and collect logs all within NXLog without requiring tools such as auditd or other userspace software. 2ff7e9595c


1 view0 comments

Recent Posts

See All

Comments


bottom of page