Auditing system calls

Creating rules to monitor when someone performs a certain action isn't hard, but the command syntax is a bit trickier than what we've seen so far. With this rule, we're going to be alerted every time that Charlie either tries to open a file or tries to create a file:

[donnie@localhost ~]$ sudo auditctl -a always,exit -F arch=b64 -S openat -F auid=1006
[sudo] password for donnie:

[donnie@localhost ~]$ sudo auditctl -l
-w /etc/passwd -p wa -k passwd_changes
-w /secretcats -p rwxa -k secretcats_watch
-a always,exit -F arch=b64 -S openat -F auid=1006
[donnie@localhost ~]$

Here's the breakdown:

  • -a always,exit: Here, we have the action and the list. The exit part means that this rule will be added to the system call exit list. Whenever the operating system exits from a system call, the exit list will be used to determine if an audit event needs to be generated. The always part is the action, which means that an audit record for this rule will always be created on exit from the specified system call. Note that the action and list parameters have to be separated by a comma.
  • -F arch=b64: The -F option is used to build a rule field, and we see two rule fields in this command. This first rule field specifies the machine's CPU architecture.  The b64 means that the computer is running with an x86_64 CPU. (Whether it's Intel or AMD doesn't matter.) Considering that 32-bit machines are dying off and that Sun SPARC and PowerPC machines aren't all that common, b64 is what you'll now mostly see.
  • -S openat: The -S option specifies the system call that we want to monitor.  openat is the system call that either opens or creates a file.
  • -F auid=1006: This second audit field specifies the user ID number of the user that we want to monitor. (Charlie's user ID number is 1006.)
A complete explanation about system calls, or syscalls, is a bit too esoteric for our present purpose. For now, suffice it to say that a syscall happens whenever a user issues a command that requests that the Linux kernel provide a service. If you're so inclined, you can read more about syscalls at: https://blog.packagecloud.io/eng/2016/04/05/the-definitive-guide-to-linux-system-calls/.

What I've presented here are just a few of the many things that you can do with auditing rules. To see more examples, check out the auditctl man page:

man auditctl

So, now you're wondering, "Now that I have these rules, how do I know when someone tries to violate them?" As always, I'm glad that you asked.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.111.24