Monday, October 30, 2017

Oracle Linux - monitor file changes with auditd

As part of a security and audit strategy it is very common to ensure certain files are monitored for access, changes and execution. This is especially useful for systems that require level of security and where you need to ensure that every change to critical files is monitored. Also some auditors will require that you are able to provide proof of who has had access to a file. When you have those requirements auditd will be the solution you want to implement under Oracle Linux.

The auditd solution is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities.

Installing auditd
Installing auditd under Oracle Linux can be done by using YUM by executing the below command;

yum install audit

If you now do a check with which you will find that you now have auditd under /sbin/auditd which we now have to ensure will start when your system boots. This will ensure that all configuration you make for auditd will be active every time you boot.

To  ensure it will start at boot execute the below command.

chkconfig auditd on

To check if auditd is configured to start at boot use the chkconfig command. As you can see it is stated as "on" for runlevel 2, 3, 4 and 5.

[root@docker ~]# chkconfig --list auditd
auditd          0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@docker ~]# 

Now you will have to make sure auditd is running manually the first time. You can use the below example where we check the status of auditd, find out it is not running, start it, check again and see it is running. At the end of this we are sure we have auditd up and running.

[root@docker ~]# 
[root@docker ~]# service auditd status
auditd is stopped
[root@docker ~]# 
[root@docker ~]# service auditd start
Starting auditd:                                           [  OK  ]
[root@docker ~]# 
[root@docker ~]# service auditd status
auditd (pid  17993) is running...
[root@docker ~]# 

Configure auditd 
As an example we will create a rule to watch changes on a file. Based upon this rule the auditd daemon will monitor it and as soon as someone changes the file the audit data will be written to disk.

In this example we will place the repository file for the Oracle Linux repository under audit and we want to be informed when someone reads the file, changes the content or append the file. This is done with the below command:

[root@docker yum.repos.d]# auditctl -w /etc/yum.repos.d/public-yum-ol6.repo -p war -k main-repo-file
[root@docker yum.repos.d]#

In this example the following flags are used:

-w /etc/yum.repos.d.public-yum-ol6.repo is used to insert a watch on the file.
-p war is used to state the watch applies on write, append and read.
-k main-repo-file is used to make a simple naming for the watch rule.

Do note... that if you want to have your auditd rules persistent you have to ensure the rules are in the .rule file. An empty example is shown below:

[root@docker yum.repos.d]# cat /etc/audit/audit.rules 
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

[root@docker yum.repos.d]# 

Watching auditd in action
with the rule in place you can see that changes (or views) are registered. An example is shown below where we (as root) made a change to the file:

time->Mon Oct 30 19:16:13 2017
type=PROCTITLE msg=audit(1509390973.068:30): proctitle=7669002F6574632F79756D2E7265706F732E642F7075626C69632D79756D2D6F6C362E7265706F
type=PATH msg=audit(1509390973.068:30): item=0 name="/etc/yum.repos.d/public-yum-ol6.repo" inode=138650 dev=fb:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1509390973.068:30):  cwd="/etc/yum.repos.d"
type=SYSCALL msg=audit(1509390973.068:30): arch=c000003e syscall=89 success=no exit=-22 a0=7ffd6bb1ed80 a1=7ffd6bb1fdd0 a2=fff a3=7ffd6bb1eb00 items=1 ppid=17847 pid=18206 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=16 comm="vi" exe="/bin/vi" key="main-repo-file"

You can use a number of tools such as aureport or ausearch to find the changes that have happend on your system. Having auditd up and running and ensuring you have the right configuration in place is just the beginning. You will have to ensure you that you have the right reporting, alerting and triggering in place. Just logging it is not providing security, (automatically) reviewing and taking action upon events is what will help you to get a higher level of security on your Oracle Linux system.

No comments: