How to monitor the Mounting/Umounting of Mount Points Using Auditd on CentOS/RHEL 6,7?

One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

 

Installing auditd

 

1. The auditd packages are a part of the default installation RHEL/CentOS 7 systems. We can verify it with the following command:

 

# rpm -qa | grep audit
audit-libs-2.8.1-3.el7.x86_64
audit-libs-python-2.8.1-3.el7.x86_64
audit-2.8.1-3.el7.x86_64

 

2. If the package is not a part of our system, we can go ahead and install it:

# yum install audit

 

3. Make sure that the audit daemon is running. We will use the following command:

# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-06-17 06:56:06 UTC; 2min 37s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 657 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 652 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 653 (auditd)
    Tasks: 2
   CGroup: /system.slice/auditd.service
           └─653 /sbin/auditd

 

In the case of CentOS/RHEL 6, you can use the service command to check the status of the auditd service:

# service auditd status

 

Configuring auditd Rules to Monitor mounting/umounting of Filesystems

 

Let us now configure the auditd rules required to monitor the mounting/umounting of filesystems.

 

1. Add the following rule in the file /etc/audit/rules.d/audit.rules audit mount and umount operations. Notice the name of umount SYCALL is umount2.

# vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S mount,umount2 -k mount_umount

 

Here,


-a – Appends rule to the end of list with action.
always,exit – are the actions specified with the -a option.
-S – stands for the SYSCALL (In uor case mount and umount2)
arch=b64 – specifies the rule for 64 bit architecture.

 

2. Restart the auditd service with “service” command:

# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

 

Verify

 

1. Let us take the /data mount point as an example and see if we get audit logs generated on mounting/umounting this mount point.

# df -hP /data
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvdf       976M  2.6M  907M   1% /data

 

2. Umount this mount point manually.

# umount /data

 

Monitor /var/log/audit/audit.log, look for messages similar to the ones below. The uid= and gid= sections as well as the pid= portion of the audit logs can help to determine the process or user issuing the command:

# tailf /var/log/audit/audit.log
...
type=SYSCALL msg=audit(1529223527.639:881): arch=c000003e syscall=166 success=yes exit=0 a0=55a5863d3880 a1=0 a2=1 a3=7ffe52c22320 items=1 ppid=2930 pid=3335 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="umount" exe="/usr/bin/umount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="mount_umount"
type=CWD msg=audit(1529223527.639:881):  cwd="/root"

 

Going through /var/log/audit/audit.log can be overwhelming if you have a lot of things being audited in your server. Instead, you can use the command “ausearch” with the key defnied in the rule to filter out logs only related with mounting and umounting. For example:

# ausearch -k mount_umount
----
time->Sun Jun 17 08:18:47 2018
type=PROCTITLE msg=audit(1529223527.639:881): proctitle=756D6F756E74002F64617461
type=PATH msg=audit(1529223527.639:881): item=0 name="/data" inode=2 dev=ca:50 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1529223527.639:881):  cwd="/root"
type=SYSCALL msg=audit(1529223527.639:881): arch=c000003e syscall=166 success=yes exit=0 a0=55a5863d3880 a1=0 a2=1 a3=7ffe52c22320 items=1 ppid=2930 pid=3335 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="umount" exe="/usr/bin/umount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="mount_umount"

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)