A SYSCALL happens whenever a user executes a command that requests that the Linux kernel provide a service. There are several SYSCALL like mount, umount, kill, open etc. These SYSCALLs can be monitored with the auditd system. Let’s take “kill” SYSCALL as an example.

The user wants to capture who has killed a certain process on the system. This can be easily achieved by writing an auditd rule which can capture the SYSCALL kill whenever it is called.

Installing and configuring auditd

auditd is mostly comes pre-installed on Linux distributions. In case it is not available, you can use the respective OS package manager to install it. For example, in case of CentOS/RHEL:

# yum install auditd

 

Enable the auditd service to start at boot and start it using the “service” command.

# systemctl enable auditd
# service start auditd

 

Configuring auditd rule to Monitor SYSCALL

Let’s create a rule to monitor the “kill” SYSCALL which can be used to find all the killing a process.

1. Add the below rule to the auditd rules configuration file /etc/audit/rules.d/audit.rules:

# vi /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S kill -k kill_rule

 

Here,
-a exit,always – Here, we have the action and the list. Whenever OS exits a system call, the exit list will be used to determine if an audit event needs to be generated.
-F arch=b64 – The -F option is used to build a rule field. The b64 means that the computer is running with an x86_64 CPU. (Whether it’s Intel or AMD doesn’t matter.)
-S kill – The -S option specifies the system call that we want to monitor.
-k – This is a user-defined rule name.

Note: “arch” is the CPU architecture of the syscall. If the system is 32 bit OS, you need to set it with “arch=b32”.

2. Restart the auditd service for the new rule to be effective.

# service restart auditd

 

3. You can verify if the defined rules are active, using the “auditctl -l” command.

# auditctl -l
-a always,exit -F arch=b64 -S kill -F key=kill_rule

 

Verify

Let’s see an example if the rule we just created actually works or not. We will simply initiate a “sleep 500” process and kill it. This should generate an audit log with all the details like who killed the process (uid) with what program/command etc.

1. Spawn a simple sleep process in background.

# sleep 600 &

 

2. Check for the process ID of the sleep process and kill it.

# ps -ef | grep sleep
root      2089  1784  0 15:12 pts/0    00:00:00 sleep 600

 

# kill -9 2089

 

3. Check for the audit log file /var/log/audit/audit.log for the kill audit logs. The log should look similar to shown below.

# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule"
type=OBJ_PID msg=audit(1529507591.700:304): opid=2089 oauid=1001 ouid=0 oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"
type=PROCTITLE msg=audit(1529507591.700:304): proctitle="-bash"

 

4. Sometimes the audit log can be difficult to look for the logs we are interested in. In that case you can also use the “ausearch” command with the key defined with the rule. For example:

# ausearch -k kill_rule
...
time->Wed Jun 20 15:13:11 2018
type=PROCTITLE msg=audit(1529507591.700:304): proctitle="-bash"
type=OBJ_PID msg=audit(1529507591.700:304): opid=2089 oauid=1001 ouid=0 oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"
type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule" 

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)