Auditd TutorialPart 01

Cyber Lessons

22 Oct 202014:41

Summary

TLDRThis video provides a hands-on tutorial for setting up and using Auditd on Ubuntu systems to monitor critical files and system activities. It covers installing Auditd, understanding key configuration files like auditd.conf and audit.rules, checking Auditd status, and enabling auditing. The instructor demonstrates creating rules to monitor sensitive files such as /etc/passwd, tracking read, write, execute, and attribute changes, and using keywords for easy log searches. Additionally, the video explains persistent rule configuration, verifying active rules, and interpreting system calls, providing a comprehensive foundation for securing and auditing Linux environments effectively.

Takeaways

😀 AuditD is not installed by default on Ubuntu 20.04; you need to install it using the command 'apt install auditd'.
🔍 AuditD can be used on various virtual machines and cloud platforms, including AWS, VMware, VirtualBox, and others.
📝 The main configuration files for AuditD are located in the '/etc/audit' directory, including 'auditd.conf' and 'audit.rules'.
🔑 The 'auditd.conf' file allows you to configure settings like log file locations (default: /var/log/audit.log) and actions when the disk is full.
📜 'audit.rules' defines the master rules for AuditD, specifying how logs are handled and what actions to take during startup.
⚙️ AuditD rules can be found in the '/etc/audit/rules.d' directory, which contains individual rule files used to generate the final 'audit.rules' file.
🔄 You can check the status of AuditD with the command 'auditctl -s', which shows whether auditing is enabled (0 = off, 1 = on, 2 = on but cannot be changed until reboot).
🔓 To enable AuditD, use the command 'auditctl -e 1', which sets auditing to 'on'. You can verify this by checking the process ID with 'ps -ax'.
📂 You can monitor specific files with AuditD by using the command 'auditctl -w <path>', such as monitoring the '/etc/passwd' file for any access or modifications.
🕵️‍♂️ The 'ausearch' command is useful to search through the audit logs, enabling you to track specific events such as file access or modification by users.
🛡️ To make AuditD rules persistent, add them to the 'audit.rules' file in '/etc/audit/rules.d' and restart AuditD using 'systemctl restart auditd' to apply the changes on reboot.

Q & A

What is `auditd` and why is it important in Linux?
-`auditd` is the Linux Audit Daemon used for monitoring and logging system activities, such as file access and configuration changes. It is important for security auditing, compliance, and detecting unauthorized activities.
How do you install `auditd` on Ubuntu?
-You can install `auditd` on Ubuntu using the command `sudo apt install auditd`. It works on various environments like AWS, VirtualBox, VMware, or a local VM.
Where are `auditd` log files stored by default?
-By default, `auditd` stores logs in `/var/log/audit/audit.log`. These logs can also be configured to be sent to a remote syslog server.
What are the key configuration files for `auditd`?
-The main configuration files are `/etc/audit/auditd.conf` for daemon settings and `/etc/audit/audit.rules` for audit rules. Rules can also be managed in `/etc/audit/rules.d/`.
How can you check if `auditd` is running and its current status?
-Use `sudo auditctl -s` to check the status. The `enabled` flag shows whether auditing is off (`0`), on (`1`), or on but requiring a reboot to apply changes (`2`). You can also check the process using `ps -ax | grep auditd`.
How do you create a basic audit rule to monitor a file?
-You can monitor a file like `/etc/passwd` using: `sudo auditctl -w /etc/passwd -p rwxa -k beck_password`. `-w` watches the file, `-p` specifies permissions (read, write, execute, attribute), and `-k` sets a searchable keyword.
How can you search audit logs for a specific activity?
-Use `ausearch -k <keyword>` to search for logs with a specific keyword. For example, `ausearch -k beck_password` will show all events related to the `/etc/passwd` monitoring rule.
What does a syscall type in the audit log indicate?
-A syscall type indicates that a system call occurred. For example, syscall `257` corresponds to a file open operation on x64 Linux. This helps trace the exact action taken on a file.
How can you make an audit rule persistent across reboots?
-Add the rule to `/etc/audit/rules.d/audit.rules` and then restart `auditd` using `sudo systemctl restart auditd`. This ensures the rule is applied automatically on startup.
What precautions should you take when configuring `auditd` rules?
-Avoid turning off auditing (e.g., `-e 0`) as it disables logging. Be cautious when monitoring entire directories as it can create very noisy logs. Always verify rules and test them before deployment.
What does the `-p rwxa` flag mean when creating audit rules?
-`-p` specifies the permissions to monitor: `r` = read, `w` = write, `x` = execute, and `a` = attribute changes. It ensures all relevant interactions with the file are logged.
Why is it recommended to use keywords (`-k`) in audit rules?
-Using keywords makes searching and filtering audit logs easier. For example, `-k beck_password` allows you to quickly find all events related to `/etc/passwd` without sifting through unrelated log entries.