auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules (For CentOS/RHEL 7) are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.
The post provides a sample audit rule to capture the user credentials and command used to reboot/shutdown the linux servers and this rule can be modified as required. The primary configuration file to add the audit rule is “/etc/audit/audit.rules” and the same needs to be updated with the required rules.
Note:
On CentOS/RHEL 7, the configuration file is /etc/audit/rules.d/audit.rules instead of /etc/audit/audit.rules.
Auditd Configuration
Below is example based on CentOS/RHEL 6, but the steps remains the same for CentOS/RHEL 7 as well.
1. Take the backup of existing configuration.
# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp
2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent.
# vi /etc/audit/audit.rules -a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot [ -k Filter key ] -a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot -a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot -a exit,always -F arch=b64 -S execve -F path=/sbin/shutdow -k reboot
3. Restart auditd service to make the changes effect.
# service auditd restart
4. List the added rules,
# auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/reboot key=reboot syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/init key=reboot syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/poweroff key=reboot syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/shutdow key=reboot syscall=execve
Verify
To filter the reboot events from audit log the filter key has to be specified.
# ausearch -k reboot time->Mon Jan 4 11:48:20 2016 type=PATH msg=audit(1451926100.004:17): item=1 name=(null) inode=1368522 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1451926100.004:17): item=0 name="/sbin/init" inode=1792404 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1451926100.004:17): cwd="/root" type=EXECVE msg=audit(1451926100.004:17): argc=2 a0="init" a1="6" type=SYSCALL msg=audit(1451926100.004:17): arch=c000003e syscall=59 success=yes exit=0 a0=12706f0 a1=1271190 a2=1268ec0 a3=8 items=2 ppid=2830 pid=2879 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="init" exe="/sbin/init" key="reboot
Here,
uid – Represent the user id.
gid – Represent the group id
exe=”/sbin/init” – command executed