92 lines
3.3 KiB
Markdown
92 lines
3.3 KiB
Markdown
# Auditd
|
|
|
|
This roles installs auditd and activate it with 3 differents logging tags that are described bellow:
|
|
1. exec_metal_admin
|
|
1. exec_container_admin
|
|
1. exec_container_user
|
|
|
|
## 1. Logging Commands by Admins on the Host
|
|
```bash
|
|
-a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin
|
|
```
|
|
|
|
- `-a always,exit`: Always log on syscall exit.
|
|
- `-F arch=b64`: Specifies the 64-bit architecture (`b64`).
|
|
- `-S execve`: Monitors the `execve` syscall, capturing all program executions.
|
|
- `-F auid>=10000 -F auid<=10999`: Filters logs for admin accounts with `auid` (Audit User ID) in the specified range, typically representing admin users on the host.
|
|
- `-k exec_metal_admin`: Tags logs with the key `exec_metal_admin` for easier log filtering.
|
|
|
|
## 2. Logging Commands by Admins in Containers
|
|
```bash
|
|
-a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin
|
|
```
|
|
|
|
- Similar to the first rule but applied to container environments.
|
|
- The `auid` range (`1010000` to `1010999`) is intended for admin users within containers using ID mapping.
|
|
|
|
## 3. Logging Commands by Non-Admin Users in Containers
|
|
```bash
|
|
-a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user
|
|
```
|
|
|
|
- Captures commands by container user accounts with `auid` between `1012000` and `1012999`.
|
|
- Uses the key `exec_container_user` to differentiate these logs from admin activities.
|
|
|
|
---
|
|
|
|
# Noise Reduction Rules
|
|
|
|
The following rules exclude specific message types to reduce unnecessary log entries:
|
|
|
|
```bash
|
|
-a exclude,always -F msgtype=CRED_ACQ
|
|
-a exclude,always -F msgtype=CRED_DISP
|
|
-a exclude,always -F msgtype=CRED_REFR
|
|
-a exclude,always -F msgtype=CWD
|
|
-a exclude,always -F msgtype=PATH
|
|
-a exclude,always -F msgtype=PROCTITLE
|
|
-a exclude,always -F msgtype=SERVICE_START
|
|
-a exclude,always -F msgtype=SERVICE_STOP
|
|
-a exclude,always -F msgtype=SOCKADDR
|
|
-a exclude,always -F msgtype=USER_ACCT
|
|
-a exclude,always -F msgtype=USER_AUTH
|
|
-a exclude,always -F msgtype=USER_END
|
|
-a exclude,always -F msgtype=USER_START
|
|
-a exclude,always -F auid=4294967295
|
|
```
|
|
|
|
- `-a exclude,always`: Excludes specified message types from logs.
|
|
- `msgtype=CRED_ACQ`, `CRED_DISP`, `CRED_REFR`: Suppresses logs related to credential acquisition, disposal, and refresh.
|
|
- `msgtype=CWD`: Suppresses 'current working directory' logs.
|
|
- `msgtype=PATH`: Prevents detailed file path logs.
|
|
- `msgtype=PROCTITLE`: Avoids logging full commands with arguments.
|
|
- `msgtype=SERVICE_START/STOP`: Reduces noise by ignoring service start/stop events.
|
|
- `msgtype=USER_START`, `USER_ACCT`, `USER_AUTH`, `USER_END`: Filters out general user login/authentication events.
|
|
- `msgtype=SOCKADDR`: Omits network-related socket address logs.
|
|
- `-F auid=4294967295`: Excludes logs from system processes with an unset audit user ID.
|
|
|
|
---
|
|
|
|
# Compliance and Validation
|
|
|
|
- Ensures all executed commands by admins and specific container users are logged.
|
|
- Provides clear user attribution through `auid` filtering, meeting ISO 27001 requirements.
|
|
- Noise reduction rules enhance the log signal-to-noise ratio, focusing on relevant events.
|
|
|
|
# Log Shipping
|
|
Filebeat is used to send the logs to Elasticsearch for easy access via Kibana.
|
|
|
|
# Auditd useful commands
|
|
|
|
Show current audit rules:
|
|
```
|
|
auditctl -l
|
|
```
|
|
Search logs by tags:
|
|
```
|
|
ausearch -k exec_metal_admin
|
|
```
|
|
Search by uid or uidnumber:
|
|
```
|
|
ausearch -ua adm-senke
|
|
```
|