auditd
Contents
About
About Auditd
RedHat Security Guide - 7.3. Configuring the audit Service with some configuration advice
Security Standards
- Common Criteria for Information Technology Security Evaluation (CC)
Protection Profile for General Purpose Operating Systems Version 4.3 by National Information Assurance Partnership (NIAP)
Operating System Protection Profile, Version 2.0
= BSI-CC-PP-0067-2010 Operating System Protection Profile (OSPP)
Security Technical Implementation Guides (STIGs) by Defense Information Systems Agency (DISA) for US Department of Defense (DoD).
- The National Institute for Standards and Technology (NIST)
NIST Special Publication 800-53 Revision 5 implementing the Federal Information Security Modernization Act (FISMA) provides guidance for civilian agencies.
- The National Institute for Standards and Technology (NIST)
National Industrial Security Program Operating Manual (NISPOM)
Auditing and Compliance Testing Tools
FILES
/etc/audit/auditd.conf - configuration file for audit daemon
/etc/audit/audit.rules - audit rules to be loaded at startup
Component files from /etc/audit/rules.d/ are concatenated in order, based on their natural sort (see -v option of ls(1)) [or -V of sort(1)] and stripped of empty and comment # lines by augenrules.
Please see man 5 augenrules
/etc/audit/rules.d/ - directory holding individual sets of rules to be compiled into one file by augenrules.
- Component audit rule files,
must end in .rules in order to be processed. All other files in /etc/audit/rules.d are ignored.
Unix permissions should be: root:root 0640
- Component audit rule files,
/etc/audit/plugins.d/ - directory holding individual plugin configuration files.
/etc/audit/audit-stop - These rules are loaded when the audit daemon stops.
/var/run/auditd.state - report about internal state.
/var/log/audit/ - directory holding the audit logs.
It's recommended to put /var/log/audit/ or at least /var/log/ on its own partition.
/lib/systemd/system/auditd.service - systemd-unit of auditd
- Worth a look, may be adjusted in dependencies.
- Local Docs
Debian News /usr/share/doc/auditd/NEWS.Debian.gz
Debian README /usr/share/doc/auditd/NEWS.Debian.gz
Auditd Rules Examples
/usr/share/doc/auditd/examples/usr/share/doc/auditd/examples/rules/README-rules
Installation
Install user space component
Debian
1 apt install auditd
RedHat
1 dnf install audit audisp-plugins
Kernel Parameter
For correct system Auditing reboot(s) are required.
A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
-- Please see man -P "less -p '^NOTES'" 8 auditd
Please also see:
kernel.org - The kernel’s command-line parameters
1 audit= [KNL] Enable the audit sub-system
2 Format: { "0" | "1" } (0 = disabled, 1 = enabled)
3 0 - kernel audit is disabled and can not be enabled
4 until the next reboot
5 unset - kernel audit is initialized but disabled and
6 will be fully enabled by the userspace auditd.
7 1 - kernel audit is initialized and partially enabled,
8 storing at most audit_backlog_limit messages in
9 RAM until it is fully enabled by the userspace
10 auditd.
11 Default: unset
12
13 audit_backlog_limit= [KNL] Set the audit queue size limit.
14 Format: <int> (must be >=0)
15 Default: 64
Set Linux Kernel parameter:
Adjust boot-loader config
/etc/default/grub1 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash zswap.enabled=1 audit=1"Update boot-loader config
updategrub2Reboot
Configure
auditd.conf
Default config
/etc/audit/auditd.conf
1 #
2 # This file controls the configuration of the audit daemon
3 #
4
5 local_events = yes
6 write_logs = yes
7 log_file = /var/log/audit/audit.log
8 log_group = adm
9 log_format = ENRICHED
10 flush = INCREMENTAL_ASYNC
11 freq = 50
12 max_log_file = 8
13 num_logs = 5
14 priority_boost = 4
15 name_format = NONE
16 ##name = mydomain
17 max_log_file_action = ROTATE
18 space_left = 75
19 space_left_action = SYSLOG
20 verify_email = yes
21 action_mail_acct = root
22 admin_space_left = 50
23 admin_space_left_action = SUSPEND
24 disk_full_action = SUSPEND
25 disk_error_action = SUSPEND
26 use_libwrap = yes
27 ##tcp_listen_port = 60
28 tcp_listen_queue = 5
29 tcp_max_per_addr = 1
30 ##tcp_client_ports = 1024-65535
31 tcp_client_max_idle = 0
32 transport = TCP
33 krb5_principal = auditd
34 ##krb5_key_file = /etc/audit/audit.key
35 distribute_network = no
36 q_depth = 400
37 overflow_action = SYSLOG
38 max_restarts = 10
39 plugin_dir = /etc/audit/plugins.d
40 end_of_event_timeout = 2
Adjusted config
The name_format = NONE has been altered to include the attribute "node=hostname" in the logs. This may be useful, when analizing the centralized data.
New value: name_format = HOSTNAME
- TODO: VALIDATE IN COMBINATION WITH SYSLOG
#ausearch and #aureport are complaining about the default q_depth = 400
q_depth should be larger than 512 for safety marginPlease see man -P "less -p '^\s*q_depth'" 8 auditd.conf
q_depth
This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 2000.New value: q_depth = 2000
/etc/audit/auditd.conf
1 #
2 # This file controls the configuration of the audit daemon
3 #
4
5 local_events = yes
6 write_logs = yes
7 log_file = /var/log/audit/audit.log
8 log_group = adm
9 log_format = ENRICHED
10 flush = INCREMENTAL_ASYNC
11 freq = 50
12 max_log_file = 8
13 num_logs = 5
14 priority_boost = 4
15 name_format = HOSTNAME
16 ##name = mydomain
17 max_log_file_action = ROTATE
18 space_left = 75
19 space_left_action = SYSLOG
20 verify_email = yes
21 action_mail_acct = root
22 admin_space_left = 50
23 admin_space_left_action = SUSPEND
24 disk_full_action = SUSPEND
25 disk_error_action = SUSPEND
26 use_libwrap = yes
27 ##tcp_listen_port = 60
28 tcp_listen_queue = 5
29 tcp_max_per_addr = 1
30 ##tcp_client_ports = 1024-65535
31 tcp_client_max_idle = 0
32 transport = TCP
33 krb5_principal = auditd
34 ##krb5_key_file = /etc/audit/audit.key
35 distribute_network = no
36 q_depth = 2000
37 overflow_action = SYSLOG
38 max_restarts = 10
39 plugin_dir = /etc/audit/plugins.d
40 end_of_event_timeout = 2
Restart auditd
1 systemctl restart auditd.service
Audit to syslog
Centralizing audit information for usage in SIEM is a essential part of security managements und hardening. Being able to detect security breaches is the first step towards a reaction.
Auditd itself has the ability to forward audit messages to a centralized (auditd) server, IHMO there is another solution to be prefered. Rsyslog can use encrypted and authenticated RELP (Reliable Event Logging Procotcol) to forward those information.
There are several methods to acquire the audit info in rsyslog.
audisp-syslog provides the ability to write to the syslog socket.
audispd - an event multiplexer [audit event dispatcher daemon] has been merged back to auditd as a plugin
- Preferred implementation
- Offers the freedom to write file to disk or not
Default ARGS audisp/plugins/syslog/audisp-syslog.c:init_syslog()
numerical facility values 12-15 are not supported
/etc/audit/plugins.d/syslog.conf1 # This file controls the configuration of the syslog plugin. 2 # It simply takes events and writes them to syslog. The 3 # arguments provided can be the default priority that you 4 # want the events written with. And optionally, you can give 5 # a second argument indicating the facility that you want events 6 # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, 7 # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. 8 9 active = yes 10 direction = out 11 path = /sbin/audisp-syslog 12 type = always 13 args = LOG_INFO LOG_LOCAL6 14 format = string
- Rsyslogd could be configured to use
the input module imfile to read from /var/log/audit/audit.log.
linux-audit.com - Configuration and collecting of Linux audit events
- IHMO this should not be configured because this adds the necessity, to write to disk,
which consumes disk space and additional iops and is slow and to change restrictive unix permissions of /var/log/audit and /var/log/audit/audit.log so rsyslog can consume the file.
1 # Add under the modules section 2 $ModLoad imfile 3 4 # Add at the end of the file 5 6 # Add at bottom of configuration file 7 $InputFileName /var/log/audit/audit.log 8 $InputFileTag tag\_audit\_log: 9 $InputFileStateFile audit_log 10 $InputFileSeverity info 11 $InputFileFacility local6 12 $InputRunFileMonitor 13 14 local6.* @@192.168.1.10:514
Local logging
IMHO it's important to log the audit log locally. In case of coincident network problems (with the remote syslog or audit server) a record of actions is still preserved on the client.
The local logs should not be sync to keep performance in a reasonable frame, in most cases the default flush = incrementally_async and freq = 50 records is fine.
/etc/audit/auditd.conf
When only forwarding the messages to rsyslog via audisp-syslog is enabled and write_logs = no in auditd auditing would be dependent on syslog, but must not. Auditing should still work when the local syslog daemon is not available.
If you wanted rsyslog to write into /var/log/audid/audit.log you could have used something like this:
/etc/rsyslog.d/10_auditd.conf
Local6 as configured in /etc/audit/plugins.d/syslog.conf will not appear in any other log, because further processing was stoppped.
Implications of local logging
- Local logging consumes disk space.
- There should be a separation of the filesystems (e. g. by partitioning and new filesystems or subvolumes with quotas).
- In a optimal scenario there is isolation of
/var from /
/var/log from /var
/var/log/audit from /var/log
- An attacker that is able to write to the partition,
where audit.log is written to, could try to fill up all the free space. Auditd might react by suspending audition or even panic the kernel, resulting a DoS.
- Local logging will impede your performance. It consumes IOOPS and introduces latency when writing in the different sync modes.
- To reduce this kind of effect,
the audit.log may be placed on a separate disk. To separate the different write paths from each other.
- To reduce this kind of effect,
- The local copy of the logging data must be protected. Because personal usage data is written to disk, the device must be physically secured from theft and the whole filesystem or partition,
where audit.log resides, should be encrypted.
Rules
No rules but logs
Even if there are no rules loaded (-D) and the kernel audit sub-system is aktiv (audit=1 or -e 0) audit logs are being written (e.g. bei logins over pam oder cron-jobs). The following list shows packets, which require libaudit, which are linked against libaudit. This has to be said to avoid false expectations.
RedHat
Debian
1 # auditctl -l
2 No rules
3 # apt-cache rdepends --installed libaudit1 |tail +3 |sort -u
4 auditd
5 dbus
6 dbus-daemon
7 libauparse0
8 libpam0g
9 libpam-modules
10 libpam-modules-bin
11 libsemanage2
12 libsystemd-shared
13 libvirt0
14 login
15 network-manager
16 openssh-server
17 passwd
18 rpm-common
19 sudo
20 systemd
21 util-linux
22 util-linux-extra
23 xserver-xorg-core
24 xwayland
augenrules
augenrules [--check] [--load]
augenrules is a script that merges all component audit rules files, found in the audit rules directory, /etc/audit/rules.d, placing the merged file in /etc/audit/audit.rules. Component audit rule files, must end in .rules in order to be processed. All other files in /etc/audit/rules.d are ignored.
The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
The last processed -D directive without an option, if present, is always emitted as the first line in the resultant file. Those with an option are replicated in place. The last processed -b directive, if present, is always emitted as the second line in the resultant file. The last processed -f directive, if present, is always emitted as the third line in the resultant file. The last processed -e directive, if present, is always emitted as the last line in the resultant file.
The generated file is only copied to /etc/audit/audit.rules, if it differs.
Please see:
man augenrules
Example ruleset
There is a huge repository of examples in
/usr/share/doc/auditd/examples
Please also see
/usr/share/doc/auditd/examples/rules/README-rules
This group of rules are meant to be used with the augenrules program. The augenrules program expects rules to be located in /etc/audit/rules.d/ The rules will get processed in a specific order based on their natural sort order. To make things easier to use, the files in this directory are organized into groups with the following meanings:
There is one set of rules, 31-privileged.rules, that should be regenerated. There is a script in the comments of that file. You can uncomment the commands and run the script and then rename the resulting file.
The rules are not meant to be used all at once. They are pieces of a policy that should be thought out and individual files copied to /etc/audit/rules.d/ For example, if you wanted to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. You can add more if you like. Also, not all arches have the same syscalls. It is expected that the rules be fine tuned for the arch they are deployed on. For example, aarch64 does not have the open syscall. It should just be deleted from the rules.
Once you have the rules in the rules.d directory, you can load them by running augenrules --load
10 No audit rules
On many systems auditd is configured to install an -a never,task rule by default. This rule causes every new process to skip all audit rule processing. This is usually done to avoid a small performance overhead imposed by syscall auditing. If you want to use auditd, you need to remove that rule by deleting 10-no-audit.rules and adding 10-base-config.rules to the audit rules directory.
Enable syscall tracing
10 Base config
Move /etc/audit/rules.d/audit.rules to a numeric prefix for ordering
/etc/audit/rules.d/10-base-config.rules
Debian Trixie sets a slightly higher value for outstanding buffers (10*2^10):
-b backlog
Set max number (limit) of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
The rest of the file is identical to:
/usr/share/doc/auditd/examples/rules/10-base-config.rules
11 Set loginuid (auid) immuteable
/etc/audit/rules.d/11-loginuid.rules
20 Do not audit
* e. g. cron
/etc/audit/rules.d/20-dont-audit.rules
1 ## This is for don't audit rules. We put these early because audit
2 ### is a first match wins system. Uncomment the rules you want.
3
4 ## Cron jobs fill the logs with stuff we normally don't want
5 -a never,user -F subj_type=crond_t
6
7 ## This prevents chrony from overwhelming the logs
8 #-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
9
10 ### This is not very interesting and wastes a lot of space if
11 ### the server is public facing
12 #-a always,exclude -F msgtype=CRYPTO_KEY_USER
13
30 Audit user, group, sudoers, login records and selinux (OSCP)
A slightly modified version (for readability) of the example
/etc/audit/rules.d/30-ospp-v42.rules
1 ## The purpose of these rules is to meet the requirements for Operating
2 ## System Protection Profile (OSPP)v4.2. These rules depends on having
3 ## the following rule files copied to /etc/audit/rules.d:
4 ##
5 ## 10-base-config.rules, 11-loginuid.rules,
6 ## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
7 ## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
8 ## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
9 ## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
10 ## 30-ospp-v42-5-perm-change-failed.rules,
11 ## 30-ospp-v42-5-perm-change-success.rules,
12 ## 30-ospp-v42-6-owner-change-failed.rules,
13 ## 30-ospp-v42-6-owner-change-success.rules
14 ##
15 ## original copies may be found in /usr/share/audit/sample-rules/
16
17
18 ## User add delete modify. This is covered by pam. However, someone could
19 ## open a file and directly create or modify a user, so we'll watch passwd and
20 ## shadow for writes
21 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
22 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
23 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
24 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
25 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
26 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
27 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
28 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
29
30 ## User enable and disable. This is entirely handled by pam.
31
32 ## Group add delete modify. This is covered by pam. However, someone could
33 ## open a file and directly create or modify a user, so we'll watch group and
34 ## gshadow for writes
35 -a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
36 -a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
37 -a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
38 -a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
39
40
41 ## Use of special rights for config changes. This would be use of setuid
42 ## programs that relate to user accts. This is not all setuid apps because
43 ## requirements are only for ones that affect system configuration.
44 -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
45 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
46 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
47 -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
48 -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
49 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
50 -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
51 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
52 -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
53 -a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54 -a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
55 -a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
56 -a always,exit -F path=/usr/sbin/groupmod -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
57 -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
58 -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
59 -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
60 -a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
61 -a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
62 -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
63 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
64 -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
65
66
67 ## Privilege escalation via su or sudo. This is entirely handled by pam.
68
69 ## Watch for configuration changes to privilege escalation.
70 -a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
71 -a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
72
73 ## Audit log access
74 -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
75 ## Attempts to Alter Process and Session Initiation Information
76 -a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
77 -a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
78 -a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
79
80 ## Attempts to modify MAC controls
81 -a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
82
83 ## Software updates. This is entirely handled by rpm.
84
85 ## System start and shutdown. This is entirely handled by systemd
86
87 ## Kernel Module loading. This is handled in 43-module-load.rules
88
89 ## Application invocation. The requirements list an optional requirement
90 ## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
91 ## state results from that policy. This would be handled entirely by
92 ## that daemon.
93
99 Enable ruleset and set immutable
Please see:
man -P "less -p '^\s+-e'" 8 auditctl
-e [0..2]
Set enabled flag. When 0 is passed, this can be used to temporarily disable auditing. When 1 is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a 2 as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.
/etc/audit/rules.d/99-finalize.rules
Ensure correct unix permissions
Allow only root to read and enter directory /etc/audit and its contents
Cleanup logs
Cleanup audit logs after a defined period of time
/etc/cron.d/audit-logs
Using auditd
Report the audit subsystem status of the kernel
Report the kernel's audit subsystem status.
1 # auditctl -s
2 enabled 1
3 failure 1
4 pid 831
5 rate_limit 0
6 backlog_limit 10240
7 lost 0
8 backlog 0
9 backlog_wait_time 60000
10 backlog_wait_time_actual 0
11 loginuid_immutable 0 unlocked
12
13 ### HUMAN READABLE
14 # auditctl -s -i
15 enabled enabled
16 failure printk
17 pid 831
18 rate_limit 0
19 backlog_limit 10240
20 lost 0
21 backlog 0
22 backlog_wait_time 60000
23 backlog_wait_time_actual 0
24 loginuid_immutable 0 unlocked
Actions triggered by SIGNALS
- Please see:
man -P "less -p '^SIGNALS'" 8 auditd
man -P "less -p '^ +--signal'" 8 auditctl
The numerical values have been annotated in square brackets.With version 3.1.1 user friendly keywords have been added to auditctl
man 7 signal
Dump state (18) to
/var/run/auditd.state
Reload config (1)
Rotate logs (10)
Stop logging (15)
Resume logging (12)
aulast
A program similar to last [but based on audit log]
aulastlog
A program similar to lastlog [but based on audit log]
ausearch
A tool to query audit daemon logs
Please see man 8 ausearch
Search for keyword with interpreted (human readable) numbers
1 ausearch -k log_manipulation -i
aureport
A tool that produces summary reports of audit daemon logs
Please see man 8 aureport
Show standard report
1 # aureport
2
3 Summary Report
4 ======================
5 Range of time in logs: 12.02.2024 08:00:01.789 - 30.07.2024 16:10:23.265
6 Selected time for report: 12.02.2024 08:00:01 - 30.07.2024 16:10:23.265
7 Number of changes in configuration: 1323
8 Number of changes to accounts, groups, or roles: 3
9 Number of logins: 2
10 Number of failed logins: 3
11 Number of authentications: 8
12 Number of failed authentications: 2
13 Number of users: 4
14 Number of terminals: 27
15 Number of host names: 3
16 Number of executables: 26
17 Number of commands: 27
18 Number of files: 52
19 Number of AVC's: 0
20 Number of MAC events: 0
21 Number of failed syscalls: 0
22 Number of anomaly events: 16
23 Number of responses to anomaly events: 0
24 Number of crypto events: 0
25 Number of integrity events: 0
26 Number of virt events: 136
27 Number of keys: 9
28 Number of process IDs: 19917
29 Number of events: 90924
ausyscall
A program that allows mapping syscall names and numbers
Please see man 8 ausyscall
ausyscall [arch] name | number | --dump | --exact
May be used during ruleset optimization. If multiarch syscall IDs do not differ a single rule may be used instead of multiple architecture specific.
Dump syscall table
Resolve names and numbers
auvirt
A program that shows data related to virtual machines
Please see man 8 auvirt
Display all VM events this month
1 auvirt --start this-month --all-events
autrace
A program similar to strace
Please see man 8 autrace
autrace will not run with loaded ruleset.