The Linux Audit Framework-2

7/27/2019 The Linux Audit Framework-2

1/39

The Linux AuditFrameworkGary Smith, EMSL, Pacific Northwest NationalLaboratory


2/39

A Little Context

Cyber Security is all about managing risk.

How do you think about managing risk?The Five Golden Principles of Security

Know your system

Principle of Least Privilege

Defense in DepthProtection is key but detection is a must.

Know your enemy.

2


3/39

Introduction

Linux audit helps make your system more secure by

providing you with a means to analyze what is happeningon your system in great detail.

It does not, however, provide additional security itselfitdoes not protect your system from code malfunctions orany kind of exploits.

Instead, Audit is useful for tracking these issues andhelps you take additional security measures, likeSELinux, to prevent them.

Audit consists of several components, each contributing

crucial functionality to the overall framework.The audit kernel module intercepts the system calls andrecords the relevant events.

3


4/39

Introduction (cont.)

The auditd daemon writes the audit reports to disk.

Various command line utilities take care of displaying,querying, and archiving the audit trail.

4


5/39

Linux Audit Framework Capabilities

Audit enables you to do the following:

Associate Users with ProcessesAudit maps processes to the user ID that started them.

This makes it possible for the administrator or security officerto exactly trace which user owns which process and ispotentially doing malicious operations on the system.

Review the Audit TrailLinux audit provides tools that write the audit reports to diskand translate them into human readable format.

Review Particular Audit Events

Audit provides a utility that allows you to filter the audit reports for

certain events of interest.

5


6/39

Linux Audit Framework Capabilities (1)

You can filter for:

UserGroup

Audit ID

Remote Hostname

Remote Host Address

System Call

System Call Arguments

File

File Operations

SessionSuccess or Failure

6


7/39

Linux Audit Framework Capabilities (2)

Apply a Selective Audit

Audit provides the means to filter the audit reports for events ofinterest and also to tune audit to record only selected events.

You can create your own set of rules and have the audit daemonrecord only those of interest to you.

Prevent Audit Data Loss

Audit provides several mechanisms to prevent the loss of auditdata in the event of a loss of system resources.

7


8/39

The Components of Linux Audit

8


9/39

Configuring The Linux Audit Framework

Before you can actually start generating audit logs and

processing them, you must configure the audit framework.Julius Caesar said, Gallia est omnis divisa in tres partes,and just like Gaul, the configuring the audit framework isdivided into three parts:

The Audit Daemon Configuration

The Audit Rules

The Audispd Daemon Configuration

9


10/39

/etc/audit/auditd.conf

The/etc/audit/auditd.confconfiguration file determines

how the audit system functions once the daemon hasbeen started.

For most use cases, the default settings shipped with thepackage should suffice.

Lets take a look at a sample auditd configuration file.

10


11/39

A Sample auditd.conf

log_file = /var/log/audit/audit.log

log_format = RAW

log_group = rootpriority_boost = 4

flush = INCREMENTAL

freq = 20

num_logs = 5

dispatcher = /sbin/audispd

disp_qos = lossyname_format = NONE

##name = mydomain

max_log_file = 6

max_log_file_action = ROTATE

space_left = 75

space_left_action = SYSLOG

action_mail_acct = rootadmin_space_left = 50

admin_space_left_action = SUSPEND

disk_full_action = SUSPEND

11


12/39

Setting Up Audit Rules

Weve given auditd its marching orders; now we have to

define what we are interested in auditing.Audit rules are used to specify which components of yoursystem are audited.

There are three basic types of audit rules:Basic audit system parameters

File and directory watches

System call audits

Before creating an audit rule set and before rolling it outto your system, carefully determine which components to

audit.Extensive auditing can cause a substantial logging load.

Remember: First match wins!

12


13/39

Setting Up Audit Rules (1)

Make sure that your system provides enough disk space

to store large audit logs and test your audit rule setextensively before rolling it out to production.

Audit rules can either be passed to the audit system bythe command line using auditctl or bundled into a rulesfile located under/etc/audit/audit.rules that is read

during the start of the audit daemon.

13


14/39

A Sample audit.rules

# basic audit system parameters

-D-b 8192

-f 1

-e 1

# some file and directory watches

-w /etc/audit/auditd.conf -p rxwa

-w /etc/audit/audit.rules -p rxwa

-w /var/log/audit/

-w /etc/passwd -p rwxa

-w /sbin/auditctlp x# an example system call rule

-a entry,always -S umask

14


15/39

File Watches Caveats

Directory watches produce less verbose logs than exact

file watches.When in need of detailed file-related records, enableseparate file watches for all files of interest.

Pathname globbing of any kind is not supported by audit.Always use the exact pathnames.

Auditing can only be performed on existing files.

Any files added while the audit daemon is already runningare ignored until the audit rule set is updated to watch thenew files.

15


16/39

Assigning Keys to Rules

Assigning keys to your audit rules helps you to identify

any records related to this rule in the logs. An examplerule plus key:

-w /etc/selinux -k MAC-Policy

You may use the same key on different rules in order tobe able to group rules when searching for them.

It is also possible to apply multiple keys to a rule

-w /sbin/auditctl -p x -k privileged -k ids-exec-info

Using the ausearch log analyzer, you can easily filter forany events related to this particular rule.

16


17/39

Auditing the Execution of Setuid/Setgid Binaries

Lets say that as a matter of compliance, you have to

audit the execution of setuid/setgid binaries on yoursystem.

How do you do set that up?

First, run a script like this at boot time from/etc/rc.localsending the output to a temp file,/tmp/snorf, for example.

17


18/39

Auditing the Execution of Setuid/Setgid Binaries (1)

#!/bin/bash

# Find all the file systems that are locally mounted

for i in /bin/egrep '(ext4|ext3|ext2)' /etc/fstab | /bin/awk '{print $2}'`

do

# Find all the files on the file system found above and print out

# and audit rule for it/usr/bin/find $i -xdev -type f $ -perm -4000 -o -perm 2000 $ -print | \

/bin/sort | /bin/awk '{ print "-a always,exit -F path=" $1 " -F perm=x \

-F auid>500 -F auid!=-1 -k privileged -k ids-exec-high" }'

done

18


19/39


And you get something like this (YMMV depending on

whats installed).

-a always,exit -F path=/bin/fusermount -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/bin/ping -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/bin/ping6 -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/bin/su -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>500 -F auid!=-1 -k privileged -k ids-exec-high

19


20/39


Then, point auditctl at the temp file to add the newly

created audit rules.The auditctl program is used to control the behavior, getstatus, and add or delete rules into the kernels auditsystem.

/sbin/auditctlR /tmp/snorf

A couple of things about auditctl:auditctl is not a filter, so output cannot be piped into it.

Rules files forauditctl must be owned by root.

20


21/39

System Call Auditing

System call auditing lets you track your system's behavior

on a level even below the application level.The audit subsystem supports an ample collection ofevents, to include the tracing of arbitrary system callsidentified by system call name, or by system call number.

The audit subsystem can also filter by PID, UID, systemcall success, system call argument, and many otherpossibilities.

When designing these rules, consider that auditing agreat many system calls may increase your system loadand cause you to run out of disk space.

Remember: First match wins!

21


22/39

System Call Audit Rules Examples

-a always,exitS settimeofday

-a always,exit -F arch=b64 -S chmod-a always,exit -F arch=b64 -S chown -F exit=-EACCES

-a always,exit -F arch=b64 -S creat -F exit=-EACCESF uid>=500

-a always,exit -F arch=b64 -S unlink -F auid>=500 -F auid!=-1

-a always,exit -F arch=b64 -S init_module -S delete_modulek moduleskids-sys-info

-a always,exit -S execveF auid>500 -F uid=0k root-exe

-a never,exit -F path=/somefile.dat -S unlink -S unlinkat -S rename -Srenameat

For details on setting up audit rules, see auditctl(8).

22


23/39

Creating Audit Reports

The audit records are stored in/var/log/audit/audit.log.

grep is your friend and you can pull stuff out of the auditlog and get stuff like this:type=SYSCALL msg=audit(1365719016.212:333043): arch=c000003e syscall=171success=yes exit=0 a0=7fff86310c37 a1=6 a2=d a3=7fff8630f3b0 items=0 ppid=22300pid=22311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)ses=37491 comm="domainname" exe="/bin/hostname"

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023key=73797374656D2D6C6F63616C65016964732D7379732D6C6F77

Maybe grep isnt your friend, after all.

The raw audit data auditd stores in the/var/log/auditdirectory is quite complex.

To find what you want, you might have to sift throughbazillions of other events before you locate the one thatyou want.

23


24/39

Creating Audit Reports (1)

Use aureport to create concise, human-readable reports.

Some of the useful options are:--summary

--failed

--start and --end (aureport understands today, yesterday, now,recent, this-week, this-month, and this-year)

--auth, --avc, --login, --user, --executable, --syscall

To get started, do aureport summary and you getsomething like this:

24


25/39


Summary Report

======================

Range of time in logs: 03/01/2013 08:17:01.765 - 03/11/2013 16:07:49.252Selected time for report: 03/01/2013 08:17:01 - 03/11/2013 16:07:49.252

Number of changes in configuration: 669

Number of changes to accounts, groups, or roles: 10

Number of logins: 11

Number of failed logins: 2941

Number of authentications: 38

Number of failed authentications: 5

Number of users: 3Number of terminals: 10

Number of host names: 6

Number of executables: 20

Number of files: 597

Number of AVC's: 347

Number of MAC events: 11

Number of failed syscalls: 76

Number of anomaly events: 0

Number of responses to anomaly events: 0

Number of crypto events: 11882

Number of keys: 20

Number of process IDs: 17444

Number of events: 120152

25


26/39


Lets look at some of the failed logins with aureport l

failed:Login Report============================================

# date time auid host term exe success event

============================================

1. 03/07/2013 15:00:37 root 192.168.1.101 ssh /usr/sbin/sshd no 178116


3. 03/07/2013 15:01:54 (unknown user) 192.168.1.101 ssh /usr/sbin/sshd no 178146



6. 03/07/2013 15:02:02 (invalid user) 192.168.1.101 ssh /usr/sbin/sshd no 178184





11. 03/07/2013 15:02:04 (invalid user) 192.168.1.101 ssh /usr/sbin/sshd no 17821012. 03/07/2013 15:02:06 (unknown user) 192.168.1.101 ssh /usr/sbin/sshd no 178220


14. 03/07/2013 15:02:33 ftp 192.168.1.101 ssh /usr/sbin/sshd no 178332

26


27/39

Drilling Deeper with ausearch

Using aureport lets you to create overall summaries of

what is happening on the system, but if you want to drilldeeper into the details of a particular event, ausearch isthe tool to use.

ausearch allows you to search the audit logs usingspecial keys and search phrases that relate to most of the

flags that appear in event messages in/var/log/audit/audit.log

A methodology to use is find an event class of interestwith aureport and then drill down into the nitty-gritty withausearch.

For instance, you use aureport

syscall

failed to seethe failed system calls. Use ausearch and one of theevent ids to get more information.

27


28/39

Drilling Deeper with ausearch (1)

From aureport syscall fail we get:Syscall Report

=======================================

# date time syscall pid comm auid event

=======================================

1. 04/09/2013 16:19:15 87 4006 semodule 25016 53039

From ausearch i a 53039 we get:type=PATH msg=audit(04/09/2013 16:19:15.564:53039) : item=0name=/etc/selinux/targeted/modules/tmp/disable_dontaudit inode=394090 dev=fd:00 mode=dir,700 ouid=root ogid=rootrdev=00:00 obj=unconfined_u:object_r:semanage_store_t:s0

type=CWD msg=audit(04/09/2013 16:19:15.564:53039) : cwd=/root

type=SYSCALL msg=audit(04/09/2013 16:19:15.564:53039) : arch=x86_64 syscall=unlink success=no exit=-2(No suchfile or directory) a0=0x7f7e0a429c60 a1=0x0 a2=0x2 a3=0x7fff08fa5450 items=1 ppid=20218 pid=4006 auid=blottouid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6353 comm=semoduleexe=/usr/sbin/semodule subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=MAC-policy key=ids-sys-lowkey=ids-file-info

28


29/39


30/39

Visualizing Audit Data

Neither the data trail in/var/log/audit/audit.log nor the

different report types generated by aureport, provide anintuitive reading experience to the user.

The aureport output is formatted in columns and thuseasily available to any sed, perl, orawk scripts that usersmight connect to the audit framework to visualize the

audit data.A solution: mkbarand mkgraph were created by SteveGrubb at Red Hat. They are available fromhttp://people.redhat.com/sgrubb/audit/visualize/.

Note: These scripts need gnuplot and graphviz to createtheir visualizations.

30
http://people.redhat.com/sgrubb/audit/visualize/http://people.redhat.com/sgrubb/audit/visualize/


31/39

Visualizing Audit Data (1)

Create a plot of events with aureport -e -i --summary |

mkbar events

31

( )


32/39

Visualizing Audit Data (2)

Create a summary of syscall events with aureport -s -i -

-summary | mkbar syscall

32


33/39

Vi li i A dit D t R l ti hi


34/39

Visualizing Audit Data Relationships

To illustrate the relationship between different kinds of

audit objects, such as users and system calls, use thescript mkgraph.

Graphs can also be combined to illustrate complexrelationships.

See the comments in the mkgraph script for further

information and an example.

34

Vi li i A dit D t R l ti hi (1)


35/39

Visualizing Audit Data Relationships (1)

35

To graph the syscalls to programs, do aureport -s -i |

awk '/^[0-9]/ { printf "%s %s\n", $6, $4 }' | sort | uniq |mkgraph syscall-vs-program

Vi li i A dit D t R l ti hi (2)


36/39

Visualizing Audit Data Relationships (2)

To graph to successful programs to files, do LC_ALL=C

aureport -f -i --success | awk '/^[0-9]/ { print $7" "$4 }' |sort | uniq | mkgraph program-vs-file

36

R


37/39

Resources

The Audit Manual Pages

There are several man pages installed along with the audit toolsthat provide valuable and very detailed information:

auditd(8) The Linux Audit daemon

auditd.conf(5) The Linux Audit daemon configuration file

auditctl(8) A utility to assist controlling the kernel's audit

systemautrace(8) A program similar to strace

ausearch(8) A tool to query audit daemon logs

aureport(8) A tool that produces summary reports of auditdaemon logs

audispd.conf(5) The audit event dispatcher configuration fileaudispd(8) The audit event dispatcher daemon talking toplugin programs.

37

R (1)


38/39

Resources (1)

http://people.redhat.com/sgrubb/audit/index.html The

home page of the Linux audit project. This site containsseveral specifications relating to different aspects of Linuxaudit, as well as a short FAQ.

/usr/share/doc/audit The audit package itself contains aREADME with basic design information and sample .rules

files for different scenarios:capp.rules: Controlled Access Protection Profile (CAPP)

lspp.rules: Labeled Security Protection Profile (LSPP)

nispom.rules: National Industrial Security Program OperatingManual Chapter 8(NISPOM)

stig.rules: Secure Technical Implementation Guide (STIG)

38
http://people.redhat.com/sgrubb/audit/index.htmlhttp://people.redhat.com/sgrubb/audit/index.html


39/39

T-t-t-t-thats all, folks!

Gary SmithInformation System Security Officer, Molecular Science

Computing, EMSL, Pacific Northwest NationalLaboratory

Richland, [email protected]
mailto:[email protected]:[email protected]:[email protected]

Documents

The Linux Audit Framework-2