The Linux Auditing System: auditd

The Linux Auditing System provides system call auditing. The auditing is performed by a server called auditd, with logs saved to the /var/log/audit directory. It is designed to complement SELinux, which saves its messages to the auditd log in the /var/log/audit/audit.log file. The audit logging service provides specialize logging for services like SELinux. Logs are located at /var/log/audit. To refine the auditing, you can create audit rules to check certain system calls like those generated by a specific user or group. Configuration for auditd is located in both the /etc/auditd.conf and the /etd/sysconfig/auditd files. Primary configuration is handled with /etc/auditd.conf, which holds such options like the log file name, the log format, the maximum size of log files, and actions to take when disk space diminishes. See the auditd.conf manual page for a detailed description of all options. The /etc/sysconfig/auditd file sets server startup options and locale locations such as en_US.

The audit package includes the auditd server and three commands i.e. autrace, ausearch and auditctl. You use ausearch to query the audit logs. You can search by various IDs, by process, user, group, or event, as well as by filename or even time or date. Check the ausearch manual page for a complete listing. autrace is a specialized tool that lets you trace a specific process. It operates similar to strace, recording the system calls and actions of a particular process.

Fig. Auditd components

You can control the behavior of the auditd server with the auditctl tool. With auditctl,

you can turn auditing on or off, check the status and add audit rules for specific events.

Check the auditctl manual page for a detailed description.

Audit rules are organized into predetermined lists with a specific set of actions for

system calls. Currently there are three lists: task, entry, and exit, and three actions: never, always, and possible. When adding a rule, the list and action are paired, separated by a comma, as in: exit, always.

To add a rule you use the -a option. With the -S option you can specify a particular

system call, and with the -F option you can specify a field. There are several possible fields you can use, such as loginuid (user login ID), pid (process ID), and exit (system call exit value). For a field you specify a value, such as loginuid=510 for the user with a user login ID of 510. The following rule, as described in the documentation, checks all files opened by  a particular user: 

auditctl -a exit,always -S open -F loginuid=510

Place rules you want loaded automatically in the /etc/auditd.rules. The sample.rules

file in the /usr/share/doc/auditd* directory lists rule examples. You can also create a specific file of audit rules and use auditctl with the -R option to read the rules from it.