# Auditd This roles installs auditd and activate it with 3 differents logging tags that are described bellow: 1. exec_metal_admin 1. exec_container_admin 1. exec_container_user ## 1. Logging Commands by Admins on the Host ```bash -a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin ``` - `-a always,exit`: Always log on syscall exit. - `-F arch=b64`: Specifies the 64-bit architecture (`b64`). - `-S execve`: Monitors the `execve` syscall, capturing all program executions. - `-F auid>=10000 -F auid<=10999`: Filters logs for admin accounts with `auid` (Audit User ID) in the specified range, typically representing admin users on the host. - `-k exec_metal_admin`: Tags logs with the key `exec_metal_admin` for easier log filtering. ## 2. Logging Commands by Admins in Containers ```bash -a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin ``` - Similar to the first rule but applied to container environments. - The `auid` range (`1010000` to `1010999`) is intended for admin users within containers using ID mapping. ## 3. Logging Commands by Non-Admin Users in Containers ```bash -a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user ``` - Captures commands by container user accounts with `auid` between `1012000` and `1012999`. - Uses the key `exec_container_user` to differentiate these logs from admin activities. --- # Noise Reduction Rules The following rules exclude specific message types to reduce unnecessary log entries: ```bash -a exclude,always -F msgtype=CRED_ACQ -a exclude,always -F msgtype=CRED_DISP -a exclude,always -F msgtype=CRED_REFR -a exclude,always -F msgtype=CWD -a exclude,always -F msgtype=PATH -a exclude,always -F msgtype=PROCTITLE -a exclude,always -F msgtype=SERVICE_START -a exclude,always -F msgtype=SERVICE_STOP -a exclude,always -F msgtype=SOCKADDR -a exclude,always -F msgtype=USER_ACCT -a exclude,always -F msgtype=USER_AUTH -a exclude,always -F msgtype=USER_END -a exclude,always -F msgtype=USER_START -a exclude,always -F auid=4294967295 ``` - `-a exclude,always`: Excludes specified message types from logs. - `msgtype=CRED_ACQ`, `CRED_DISP`, `CRED_REFR`: Suppresses logs related to credential acquisition, disposal, and refresh. - `msgtype=CWD`: Suppresses 'current working directory' logs. - `msgtype=PATH`: Prevents detailed file path logs. - `msgtype=PROCTITLE`: Avoids logging full commands with arguments. - `msgtype=SERVICE_START/STOP`: Reduces noise by ignoring service start/stop events. - `msgtype=USER_START`, `USER_ACCT`, `USER_AUTH`, `USER_END`: Filters out general user login/authentication events. - `msgtype=SOCKADDR`: Omits network-related socket address logs. - `-F auid=4294967295`: Excludes logs from system processes with an unset audit user ID. --- # Compliance and Validation - Ensures all executed commands by admins and specific container users are logged. - Provides clear user attribution through `auid` filtering, meeting ISO 27001 requirements. - Noise reduction rules enhance the log signal-to-noise ratio, focusing on relevant events. # Log Shipping Filebeat is used to send the logs to Elasticsearch for easy access via Kibana. # Auditd useful commands Show current audit rules: ``` auditctl -l ``` Search logs by tags: ``` ausearch -k exec_metal_admin ``` Search by uid or uidnumber: ``` ausearch -ua adm-senke ```