Diversity w polskim IT
Adrian Ambroziak
Adrian AmbroziakTechnical Services Engineer

Jak zainstalować i skonfigurować auditd na Linuxie

Dowiedz się, jak działa aplikacja auditd na Linuxie, jak ją zainstalować oraz sprawdź przykładową konfigurację.
18.03.20215 min
Jak zainstalować i skonfigurować auditd na Linuxie

Auditd to jedna z najczęściej spotykanych aplikacji w systemach Linux w większości firm. Pozwala ona na monitorowanie tego, co dzieje się w systemie. Adrian Ambroziak opowiada o tym, jak działa ta aplikacja, jak ją zainstalować oraz skonfigurować auditd.


Reguły w /etc/audit/rules.d/audit.rules

#####################
# This is an example configuration suitable for most systems
# Before running with this configuration:
# - Remove or comment items which are not applicable
# - Check paths of binaries and files
#####################

#####################
# Remove any existing rules
######################
-D
#####################
# Buffer Size
# Might need to be increased, depending on the load of your system.
#####################
-b 8192

#####################
# Failure Mode
#####################
# 0=Silent
# 1=printk, print failure message
# 2=panic, halt system
-f 1

#####################
# Audit the audit logs.
#####################
 -w /var/log/audit/ -k auditlog

#####################
# Auditd configuration
#####################
## Modifications to audit configuration that occur while the audit (check your paths)
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

#####################
# Monitor for use of audit management tools
#####################
# Check your paths
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

#####################
# Special files
#####################
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

#####################
# Mount operations
#####################
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
 
#####################
# Changes to the time
#####################
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
-w /etc/localtime -p wa -k localtime

#####################
# Use of stunnel
#####################
-w /usr/sbin/stunnel -p x -k stunnel

#####################
# Schedule jobs
#####################
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

##################### 
# user, group, password databases
#####################
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

#####################
# Monitor usage of passwd command
#####################
-w /usr/bin/passwd -p x -k passwd_modification

#####################
# Monitor user/group tools
#####################
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

#####################
# Login configuration and stored info
#####################
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

#####################
# Network configuration
#####################
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

#####################
# system startup scripts
#####################
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

#####################
# Library search paths
#####################
-w /etc/ld.so.conf -p wa -k libpath

#####################
# Kernel parameters and modules
#####################
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/modprobe.conf -p wa -k modprobe

#####################
# PAM configuration
#####################
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

#####################
# Puppet (SSL)
#####################
-w /etc/puppetlabs/puppet/ssl -p wa -k puppet_ssl

#####################
# Postfix configuration
#####################
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail

#####################
# SSH configuration
#####################
-w /etc/ssh/sshd_config -k sshd

#####################
# Hostname
#####################
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

#####################
# Changes to issue
#####################
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

#####################
# Log all commands executed by root
#####################
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

#####################
# Capture all failures to access on critical elements
#####################
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess

#####################
# su/sudo
#####################
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

#####################
# Poweroff/reboot tools
#####################
-w /sbin/halt -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/shutdown -p x -k power

#####################
# Make the configuration immutable
#####################
-e 2
<p>Loading...</p>