senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/ansible/roles/auditd/readme.md
okinrev 327ac36a30 BASE: completing the initial repo state
2025-12-03 22:56:50 +01:00

3.3 KiB
Raw Blame History

Auditd

This roles installs auditd and activate it with 3 differents logging tags that are described bellow:

  1. exec_metal_admin
  2. exec_container_admin
  3. exec_container_user

1. Logging Commands by Admins on the Host

-a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin
  • -a always,exit: Always log on syscall exit.
  • -F arch=b64: Specifies the 64-bit architecture (b64).
  • -S execve: Monitors the execve syscall, capturing all program executions.
  • -F auid>=10000 -F auid<=10999: Filters logs for admin accounts with auid (Audit User ID) in the specified range, typically representing admin users on the host.
  • -k exec_metal_admin: Tags logs with the key exec_metal_admin for easier log filtering.

2. Logging Commands by Admins in Containers

-a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin
  • Similar to the first rule but applied to container environments.
  • The auid range (1010000 to 1010999) is intended for admin users within containers using ID mapping.

3. Logging Commands by Non-Admin Users in Containers

-a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user
  • Captures commands by container user accounts with auid between 1012000 and 1012999.
  • Uses the key exec_container_user to differentiate these logs from admin activities.

Noise Reduction Rules

The following rules exclude specific message types to reduce unnecessary log entries:

-a exclude,always -F msgtype=CRED_ACQ
-a exclude,always -F msgtype=CRED_DISP
-a exclude,always -F msgtype=CRED_REFR
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=PROCTITLE
-a exclude,always -F msgtype=SERVICE_START
-a exclude,always -F msgtype=SERVICE_STOP
-a exclude,always -F msgtype=SOCKADDR
-a exclude,always -F msgtype=USER_ACCT
-a exclude,always -F msgtype=USER_AUTH
-a exclude,always -F msgtype=USER_END
-a exclude,always -F msgtype=USER_START
-a exclude,always -F auid=4294967295
  • -a exclude,always: Excludes specified message types from logs.
  • msgtype=CRED_ACQ, CRED_DISP, CRED_REFR: Suppresses logs related to credential acquisition, disposal, and refresh.
  • msgtype=CWD: Suppresses 'current working directory' logs.
  • msgtype=PATH: Prevents detailed file path logs.
  • msgtype=PROCTITLE: Avoids logging full commands with arguments.
  • msgtype=SERVICE_START/STOP: Reduces noise by ignoring service start/stop events.
  • msgtype=USER_START, USER_ACCT, USER_AUTH, USER_END: Filters out general user login/authentication events.
  • msgtype=SOCKADDR: Omits network-related socket address logs.
  • -F auid=4294967295: Excludes logs from system processes with an unset audit user ID.

Compliance and Validation

  • Ensures all executed commands by admins and specific container users are logged.
  • Provides clear user attribution through auid filtering, meeting ISO 27001 requirements.
  • Noise reduction rules enhance the log signal-to-noise ratio, focusing on relevant events.

Log Shipping

Filebeat is used to send the logs to Elasticsearch for easy access via Kibana.

Auditd useful commands

Show current audit rules:

auditctl -l

Search logs by tags:

ausearch -k exec_metal_admin

Search by uid or uidnumber:

ausearch -ua adm-senke