Auditing a file for changes

Now, let's say that we want to see when someone changes the /etc/passwd file. (The command that we'll use will look a bit daunting, but I promise that it will make sense once we break it down.) Look at the following code:

[donnie@localhost ~]$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes
[sudo] password for donnie:

[donnie@localhost ~]$ sudo auditctl -l
-w /etc/passwd -p wa -k passwd_changes
[donnie@localhost ~]$

Here's the breakdown:

  • -w: This stands for where, and it points to the object that we want to monitor.  In this case, it's /etc/passwd.
  • -p: This indicates the object's permissions that we want to monitor. In this case, we're monitoring to see when anyone either tries to (w)rite to the file, or tries to make (a)ttribute changes. (The other two permissions that we can audit are (r)ead and e(x)ecute.)
  • -k: The k stands for key, which is just auditd's way of assigning a name to a rule.  So, passwd_changes is the key, or the name, of the rule that we're creating.

The auditctl -l command shows us that the rule is indeed there.

Now, the slight problem with this is that the rule is only temporary and will disappear when we reboot the machine. To make it permanent, we need to create a custom rules file in the /etc/audit/rules.d/ directory. Then, when you restart the auditd daemon, the custom rules will get inserted into the /etc/audit/audit.rules file. Because the /etc/audit/ directory can only be accessed by someone with root privileges, I'll just open the file by listing the entire path to the file, rather than trying to enter the directory:

sudo less /etc/audit/audit.rules

There's not a whole lot in this default file:

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1

Here's the breakdown for this file:

  • -D: This will cause all rules and watches that are currently in effect to be deleted, so that we can start from a clean slate. So, if I were to restart the auditd daemon right now, it would read this audit.rules file, which would delete the rule that I just now created.
  • -b 8192: This sets the number of outstanding audit buffers that we can have going at one time. If all of the buffers get full, the system can't generate any more audit messages.
  • -f 1: This sets the failure mode for critical errors, and the value can be either 0, 1, or 2.  A -f 0 would set the mode to silent, meaning that auditd wouldn't do anything about critical errors. A -f 1, as we see here, tells auditd to only report the critical errors, and a -f 2 would cause the Linux kernel to go into panic mode. According to the auditctl man page, anyone in a high-security environment would likely want to change this to -f 2. For our purposes though, -f1 works.

You could use your text editor to create a new rules file in the /etc/audit/rules.d/ directory. Or, you could just redirect the auditctl -l output into a new file, like this:

[donnie@localhost ~]$ sudo sh -c "auditctl -l > /etc/audit/rules.d/custom.rules"
[donnie@localhost ~]$ sudo service auditd restart

Since the Bash shell doesn't allow me to directly redirect information into a file in the /etc directory, even with sudo, I have to use the sudo sh -c command in order to execute the auditctl command. After restarting the auditd daemon, our audit.rules file now looks like this:

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1

-w /etc/passwd -p wa -k passwd_changes

Now, the rule will take effect every time the machine gets rebooted, and every time that you manually restart the auditd daemon.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.70.163