System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. Most system administrators might be aware of basic auditing functionalities such as looking into /var/log/secure file for login attempts, but when it comes to low-level auditing, this is where the work needs to be done.
Some of the cases when system auditing helps are:
Watching for file access: We want to have a report on which files or directories within your server have been accessed or modified and at what time and by which user. This is an important aspect specifically if we want to detect the access to important files within our servers or want to find out who did the change that impacted the production environment.
Monitoring system calls: Every command that we type in the back makes a system call to the kernel.
Monitoring /etc/shadow and /etc/passwd for changes
1. To monitor the files /etc/shadow and /etc/passwd, add below 2 rules into the auditd rules file /etc/audit/rules.d/audit.rule.
# vi /etc/audit/rules.d/audit.rule
On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.
The command above represents the following:
-w path-to-file -p permissions -k keyname
where the permission are any one of the following:
r – read of the file
w – write to the file
x – execute the file
a – change in the file’s attribute (ownership/permissions)
2. Restart the auditd service after defining the above 2 rules.
# service auditd restart
Do not use “systemctl” command to manage the service auditd in CentOS/RHEL. Instead use the legacy “service” command. The reason for this limitation is that the audit daemon has to record any changes to the audit trail including starting and stopping the audit daemon itself. Systemctl uses dbus to talk to the system which hides who issued the command and looks like root did it.
3. Use the “auditctl -l” command to verify the rules you have set.
# auditctl -l
The log file /var/log/audit/audit.log logs all the auditd related log messages. You can check this log file to see if the shadow and passwd files are changed by someone. This file can be long and system can generate a lot of logs in this file. To filter out the rules we are interested in, we can use the “ausearch” command with the key we specified while defining the rules.
# ausearch -k shadow
Similarly, for the /etc/passwd file, we can filter out the logs using:<>/p
# ausearch -k passwd