Tìm hiểu Audit trên linux!!!

Audit là một framework được tích hợp sẵn vào trong nhân linux, cung cấp thông tin chi tiết để thanh tra các hoạt động hệ thống một mức rất chi tiết. 
Nó có thể:
1. Giúp người dùng giám sát các tiến trình có nguy hiểm đến hệ thống hay hành vi xảy ra trên hệ thống một các chi tiết
2. Cung cấp chức năng lọc, xây dựng báo cáo để có thể trích xuất thông tin được audit log lưu lại. Chúng ta có thể filter theo các mục sau:

• User
• Group
• AuditID
• RemoteHostname
• RemoteHostAddress
• SystemCall
• SystemCallArguments • File
• FileOperations
• SuccessorFailure 

3. Việc Audit những sự kiện nội dung nào do người dùng định nghĩa để đảm bảo khả năng linh hoạt và hiệu quả hoạt động của hệ thống.

Auditing goals

By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:

• Audit file access and modification
  • See who changed a particular file
  • Detect unauthorized changes
• Monitoring of system calls and functions
• Detect anomalies like crashing processes
• Set tripwires for intrusion detection purposes
• Record commands used by individual users

Components

The framework itself has several components:

Kernel:

• audit: hooks into the kernel to capture events and deliver them to auditd

Binaries:

• auditd: daemon to capture events and store them (log file)
• auditctl: client tool to configure auditd
• audispd: daemon to multiplex events
• aureport: reporting tool which reads from log file (auditd.log)
• ausearch: event viewer (auditd.log)
• autrace: using audit component in kernel to trace binaries
• aulast: similar to last, but instaed using audit framework
• aulastlog: similar to lastlog, also using audit framework instead
• ausyscall: map syscall ID and name
• auvirt: displaying audit information regarding virtual machines

Files:

• audit.rules: used by auditctl to read what rules need to be used
• auditd.conf: configuration file of auditd

Thành phần của Audit

Các thành phần của Audit

File audit.rules chứa tập các luật tải vào trong hệ thống audit của nhân.
Audit.rules là file chứa các luật sẽ được tải khi khởi động audit daemon. Chương trình auditctl được sử dụng cho kịch bản khởi tạo hành vi này. cấu trúc luật gồm 3 phần: control, file và syscall.

Control

Control commands generally involve configuring the audit system rather than telling it what to watch for. These commands typically include deleting all rules, setting the size of the kernel's backlog queue, setting the failure mode, setting the event rate limit, or to tell auditctl to ignore syntax errors in the rules and continue loading. Generally, these rules are at the top of the rules file.

File System

File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in a watch rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these watch rules generally follow this format:

-w path-to-file -p permissions -k keyname

where the permission are any one of the following:

r

- read of the file

w

- write to the file

x

- execute the file

a

- change in the file's attribute

Watches can also be created using the syscall format described below which allow for greater flexibility and options. Using syscall rules you can choose between path and dir which is against a specific inode or directory tree respectively. It should also be noted that the recursive directory watch will stop if there is a mount point below the parent directory. There is an option to make the mounted subdirectory equivalent by using a -q rule.

System Call

The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible.

The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice.

The exit filter is the place where all syscall and file system audit requests are evaluated.

The user filter is used to filter (remove) some events that originate in user space. By default, any event originating in user space is allowed. So, if there are some events that you do not want to see, then this is a place where some can be removed. See auditctl(8) for fields that are valid.

The exclude filter is used to exclude certain events from being emitted. The msgtype and a number of subject attribute fields can be used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. The action is ignored for this filter, defaulting to "never".

Syscall rules take the general form of:

-a action,list -S syscall -F field=value -k keyname

The -a option tells the kernel's rule matching engine that we want to append a rule at the end of the rule list. But we need to specify which rule list it goes on and what action to take when it triggers. Valid actions are:

always

- always create an event

never

- never create an event

The action and list are separated by a comma but no space in between. Valid lists are: task, exit, user, and exclude. Their meaning was explained earlier.

Next in the rule would normally be the -S option. This field can either be the syscall name or number. For readability, the name is almost always used. You may give more than one syscall in a rule by specifying another -S option. When sent into the kernel, all syscall fields are put into a mask so that one compare can determine if the syscall is of interest. So, adding multiple syscalls in one rule is very efficient. When you specify a syscall name, auditctl will look up the name and get its syscall number. This leads to some problems on bi-arch machines. The 32 and 64 bit syscall numbers sometimes, but not always, line up. So, to solve this problem, you would generally need to break the rule into 2 with one specifying -F arch=b32 and the other specifying -F arch=b64. This needs to go in front of the -S option so that auditctl looks at the right lookup table when returning the number.

Một số link tham khảo hay:
1. Mô tả rule của Audit https://jlk.fjfi.cvut.cz/arch/manpages/man/audit.rules.7
2. Cấu hình cơ bản Audit https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/
3. Sách về Audit https://www.suse.com/documentation/sled10/pdfdoc/audit_sp2/audit_sp2.pdf