1
00:00:00,000 --> 00:00:09,660
In this video, we'll talk about auditing.

2
00:00:09,660 --> 00:00:14,940
So logging is what is used for writing messages that were generated by specific events to

3
00:00:14,940 --> 00:00:16,900
log files.

4
00:00:16,900 --> 00:00:20,260
Logging is typically initiated by services.

5
00:00:20,260 --> 00:00:22,219
Auditing is much more detailed.

6
00:00:22,219 --> 00:00:27,260
It's a system feature that works at the kernel level and you can use it to do a deep investigation

7
00:00:27,260 --> 00:00:29,980
of what is happening on a system.

8
00:00:29,980 --> 00:00:33,939
To use auditing, the auditd service must be operational.

9
00:00:33,939 --> 00:00:39,380
And that's not always the case by default, so check in systemd if it is running.

10
00:00:39,380 --> 00:00:44,060
And the auditctl command can be used to write specific rules about events that should be

11
00:00:44,060 --> 00:00:45,060
audited.

12
00:00:45,060 --> 00:00:50,380
So you can tweak for yourself and determine what you want to be audited and what not.

13
00:00:50,380 --> 00:00:53,139
In order to do so, you need to understand what to audit.

14
00:00:53,139 --> 00:00:58,320
Well, audit for simple activity using permissions is what you can do.

15
00:00:58,320 --> 00:01:03,980
So there is read and write and execute and attribute change and all of these can be monitored.

16
00:01:03,980 --> 00:01:08,239
You can also do more advanced auditing to have a look at system calls.

17
00:01:08,239 --> 00:01:13,080
Use the minus uppercase S option with auditctl to do so.

18
00:01:13,080 --> 00:01:16,720
Now when you audit system calls, it's a bit more complex because you must specify the

19
00:01:16,720 --> 00:01:19,379
target architecture.

20
00:01:19,379 --> 00:01:24,940
Now if you write your audit messages, it's always a good idea to use the option minus

21
00:01:24,940 --> 00:01:27,300
k followed by a key.

22
00:01:27,300 --> 00:01:29,559
And this key is an identifier.

23
00:01:29,559 --> 00:01:35,459
Because next in the audit log, you can use this key to figure out what has been logged.

24
00:01:35,459 --> 00:01:39,860
When you are auditing, you need to take care of the user IDs that are used.

25
00:01:39,860 --> 00:01:43,699
Because all the user IDs work a little bit differently.

26
00:01:43,699 --> 00:01:47,019
In auditing, you will find the AUID.

27
00:01:47,019 --> 00:01:48,639
That is the audit UID.

28
00:01:48,639 --> 00:01:52,940
And that is the UID that the user originally logged in with.

29
00:01:52,940 --> 00:01:58,820
So regardless of what you do using SU or SUDU, you will always see the underlying UID

30
00:01:58,820 --> 00:01:59,820
in the AUID.

31
00:01:59,820 --> 00:02:03,379
EUID is the effective user ID.

32
00:02:03,379 --> 00:02:07,260
And that's the user ID that was used to perform the operation.

33
00:02:07,260 --> 00:02:15,100
So if you are in an SU shell, your EUID will be the user that you SU'd into.

34
00:02:15,100 --> 00:02:18,179
OUID is the object user ID.

35
00:02:18,179 --> 00:02:21,919
And that is the user ID that is used by the target process.

36
00:02:21,919 --> 00:02:28,279
And now we have the UID, which is the real ID of the user that started the process.

37
00:02:28,279 --> 00:02:32,960
To add audit rules, auditctl is the command to use.

38
00:02:32,960 --> 00:02:38,000
Use for instance auditctl minus W, etcmotd.

39
00:02:38,000 --> 00:02:39,160
So that is a watch.

40
00:02:39,160 --> 00:02:42,240
We will watch the etcmotd file.

41
00:02:42,240 --> 00:02:44,300
Minus P rwxa.

42
00:02:44,300 --> 00:02:49,399
So we are watching for permissions read, write, execute, and attribute change.

43
00:02:49,399 --> 00:02:52,360
So anything that happens to this cell will be audited.

44
00:02:52,360 --> 00:02:59,279
And minus k test audit is going to write the label test audit.

45
00:02:59,279 --> 00:03:03,839
Now if you want to monitor the output of auditctl, you are going to watch the audit log.

46
00:03:03,839 --> 00:03:06,119
We'll talk about it shortly.

47
00:03:06,119 --> 00:03:09,240
Now anything you type with auditctl is here and now only.

48
00:03:09,240 --> 00:03:10,720
It's not persistent.

49
00:03:10,720 --> 00:03:17,639
If you want to make it persistent, you need to write to etcauditrules.d audit.rules.

50
00:03:17,639 --> 00:03:18,880
It's pretty easy.

51
00:03:18,880 --> 00:03:23,639
It's the same command without auditctl in front of it.

52
00:03:23,639 --> 00:03:29,399
And you can also make the current rules immutable by adding minus E2 to the end of the audit.rules

53
00:03:29,399 --> 00:03:30,399
file.

54
00:03:30,399 --> 00:03:35,839
Auditing is a security feature, and by adding minus E2, you prevent that an intruder is

55
00:03:35,839 --> 00:03:40,399
going to disable all of your audit rules.

56
00:03:40,399 --> 00:03:46,039
To investigate the audited events, you can read the audit log directly.

57
00:03:46,039 --> 00:03:48,199
Some people think it's not very readable.

58
00:03:48,199 --> 00:03:52,119
I think you just need to practice a little bit to get used to it.

59
00:03:52,119 --> 00:03:56,600
But because some people think it's not very readable, there are specialized utilities

60
00:03:56,600 --> 00:04:00,960
like au-search, which helps you to search for specific events.

61
00:04:00,960 --> 00:04:07,479
Use for instance au-search minus k admin underscore access to show all events that have the admin

62
00:04:07,479 --> 00:04:09,399
underscore access label.

63
00:04:09,399 --> 00:04:14,000
Hey, you know, au-search is just a fancy way of doing a grep.

64
00:04:14,000 --> 00:04:20,040
If you do a grep admin underscore access in audit.log, you see the same result.

65
00:04:20,040 --> 00:04:23,739
But au-search is frequently used.

66
00:04:23,739 --> 00:04:27,799
So another example is au-search minus mavc.

67
00:04:27,799 --> 00:04:32,480
That will show you all messages that have been logged with the message avc, and that

68
00:04:32,480 --> 00:04:33,920
is SE Linux related.

69
00:04:33,920 --> 00:04:36,119
We'll talk about that later.

70
00:04:36,119 --> 00:04:43,239
au-search minus mavc minus ts today will do the same, but only for messages that have

71
00:04:43,239 --> 00:04:46,920
the timestamp of today.

72
00:04:46,920 --> 00:04:54,000
And au-search minus mevc minus ts today minus chtpd will further fine-tune and only show

73
00:04:54,000 --> 00:04:58,040
messages related to the httpd service.

74
00:04:58,040 --> 00:05:03,959
Let me show you a couple of useful examples.

75
00:05:03,959 --> 00:05:11,440
So to start with, audit ctl minus l is showing that no rules are available.

76
00:05:11,440 --> 00:05:26,000
And I'm going to use audit ctl minus w etc pass wd minus p wa minus k pass wd changes.

77
00:05:26,000 --> 00:05:29,519
I like to put my keys in updates.

78
00:05:29,519 --> 00:05:32,640
Ignore the line about old-style watch rules.

79
00:05:32,640 --> 00:05:36,679
The rule is still working, and this is the kind of information you need to know about

80
00:05:36,679 --> 00:05:37,679
for your exam.

81
00:05:37,679 --> 00:05:38,679
Good.

82
00:05:38,920 --> 00:05:43,000
I'm going to use user at Anna.

83
00:05:43,000 --> 00:05:44,000
Already exists.

84
00:05:44,000 --> 00:05:45,000
Oh, boy.

85
00:05:45,000 --> 00:05:47,279
User at Bia.

86
00:05:47,279 --> 00:05:59,320
And now I'm going to do a grab of pass wd underscore changes in var log audit audit.log.

87
00:05:59,320 --> 00:06:01,359
And there we can see what has been logged.

88
00:06:01,359 --> 00:06:05,559
So we can see the actual line, a system call.

89
00:06:05,559 --> 00:06:08,239
On architecture, this system call number.

90
00:06:08,239 --> 00:06:11,480
We don't care about the system call number too much.

91
00:06:11,480 --> 00:06:16,239
What we care about is that PID 4125.

92
00:06:16,239 --> 00:06:17,760
That might be interesting.

93
00:06:17,760 --> 00:06:21,920
So PID 4125, AUID 1000.

94
00:06:21,920 --> 00:06:26,600
So the audit user ID, that's the original user, is user 1000.

95
00:06:26,600 --> 00:06:27,839
The UID is zero.

96
00:06:27,839 --> 00:06:34,200
So we can see it has happened from sudo minus i or something environment, which is confirmed

97
00:06:34,200 --> 00:06:36,640
by the EUID.

98
00:06:36,640 --> 00:06:39,320
And there we can see what has happened.

99
00:06:39,320 --> 00:06:44,480
User has been user at, and the key is password changes.

100
00:06:44,480 --> 00:06:47,000
So a user has been added.

101
00:06:47,000 --> 00:06:48,600
Now you might be wondering when.

102
00:06:48,600 --> 00:06:50,720
Well, that is a funny one.

103
00:06:50,720 --> 00:06:52,880
You can see the when right here.

104
00:06:52,880 --> 00:06:54,480
This is the time.

105
00:06:54,480 --> 00:07:00,040
Now the thing is that this time is not very readable, but if you use date, minus D, and

106
00:07:00,040 --> 00:07:06,600
then you use an at sign followed by this timestamp, which is an epoch, you get a nicely translated

107
00:07:06,600 --> 00:07:12,079
timestamp to find out when exactly the password change has happened.

108
00:07:12,079 --> 00:07:14,000
Now let's do another example.

109
00:07:14,000 --> 00:07:28,720
Audit CTL minus A always comma exit minus S ABJ time X minus S set time of day.

110
00:07:28,720 --> 00:07:31,359
This minus S is referring to system calls.

111
00:07:31,359 --> 00:07:33,720
These are low-level system operations.

112
00:07:33,720 --> 00:07:41,440
And if they happen, I want to log something with the key time change.

113
00:07:41,440 --> 00:07:45,600
So anytime a time change is going to happen, it will be logged.

114
00:07:45,600 --> 00:07:46,600
Now do we have it?

115
00:07:46,600 --> 00:07:55,000
Rep on time change on var log audit.log.

116
00:07:55,000 --> 00:07:56,000
And look at that.

117
00:07:56,000 --> 00:07:57,000
We can see something.

118
00:07:57,000 --> 00:07:58,000
Well, do we?

119
00:07:58,000 --> 00:07:59,000
No.

120
00:07:59,000 --> 00:08:00,000
The type is config change.

121
00:08:00,000 --> 00:08:02,959
Config change identifies the rule that has been added.

122
00:08:03,200 --> 00:08:05,799
We now need to wait until something is changing the time.

123
00:08:05,799 --> 00:08:11,799
Honestly, I don't want to change the time because time synchronization is used here.

124
00:08:11,799 --> 00:08:20,920
But if you want to, time minus S 13 colon 20, and then we grab it again and, oh, it's

125
00:08:20,920 --> 00:08:21,920
not yet there.

126
00:08:21,920 --> 00:08:23,799
Well, it will get there eventually.

127
00:08:23,799 --> 00:08:26,679
Let's have a look at another one, which is very interesting.

128
00:08:26,679 --> 00:08:31,040
Audit CTL minus A always comma exit.

129
00:08:31,040 --> 00:08:34,960
This minus A is identifying when you want to do the audit.

130
00:08:34,960 --> 00:08:40,599
And here, the always exit means that we always do the audit at the exit of the system call

131
00:08:40,599 --> 00:08:42,719
that we are monitoring.

132
00:08:42,719 --> 00:08:43,960
Now what do I want to do?

133
00:08:43,960 --> 00:08:48,840
I want to filter on there is slash home.

134
00:08:48,840 --> 00:08:52,760
So we are filtering activity in the slash home directory.

135
00:08:52,760 --> 00:08:55,359
Min F UID is zero.

136
00:08:55,359 --> 00:08:58,479
So the effective user ID is zero.

137
00:08:58,479 --> 00:09:07,640
And min C AUID none equals object UID.

138
00:09:07,640 --> 00:09:11,320
The AUID is the user ID of the original user.

139
00:09:11,320 --> 00:09:16,979
The object user ID, that is the user ID of the object that is accessed.

140
00:09:16,979 --> 00:09:20,039
So that will be the user home directory.

141
00:09:20,039 --> 00:09:23,239
And then we are going to log spying.

142
00:09:23,239 --> 00:09:24,719
And why do we do this?

143
00:09:24,719 --> 00:09:29,840
Because this rule makes sure that if anybody from an SU shell is accessing a home directory

144
00:09:29,840 --> 00:09:34,719
that doesn't correspond to the home directory of their original user, well, then the message

145
00:09:34,719 --> 00:09:35,520
will be logged.