The audit package is installed in Centos8 by default. If not installed, use the following command to add:
[root@localhost ~]# yum -y install audit
Audit configuration file / etc/audit/auditd.conf. This file contains default parameters to change the behavior of the auditd daemon.
Management audit services
After configuring auditd, start the service to collect audit information:
# service auditd start
The only reason to use the service command instead of systemctl is to record the user ID (UID) value correctly.
# systemctl enable auditd
Define audit rules
Using the auditctl tool, you can add audit rules to any system call you want. The rules are executed sequentially.
Next, define the monitoring rules. This rule tracks whether a file or directory is triggered by certain types of access, including read, write, execute, and property changes.
The syntax for defining rules is:
auditctl -w path_to_file -p permissions -k key_name
To audit user creation operations, first add monitoring to the / etc/passwd file to track write and attribute change access, and add a custom key to record all messages (this custom key can be used to filter log messages):
[root@localhost ~]# auditctl -w /etc/passwd -p wa -k user-modify
Next, add a new user. Doing so changes the / etc/passwd file:
[root@localhost ~]# useradd user01
Finally, check that auditd records the changes. By default, auditd stores logs in the / var/log/audit/audit.log file:
[root@localhost ~]# cat /var/log/audit/audit.log | grep user-modify
Define persistent audit rules
To keep audit rules unchanged after reboot, add them to the / etc/audit/rules.d/audit.rules file.
Next, define persistence rules in the audit.rules file to monitor changes to the / etc/passwd file.
-w /etc/passwd -p wa -k user-modify
Save the file and reload the auditd daemon to make changes to the configuration in the rules file:
[root@localhost ~]# service auditd reload
You can run auditctl -l to list rules:
[root@localhost ~]# auditctl -l -w /etc/passwd -p wa -k user-modify
Finally, adding a new user or changing the / etc/passwd file will start the audit. The changes are recorded in / var/log/audit/audit.log, and the rules still exist even if the system is restarted.
Search audit log
Use the ausearch tool to search the audit log. By default, it searches the / var/log/audit/audit.log file.
For example, according to the key_name searches log entries and searches for user modify related:
[root@localhost ~]# ausearch -i -k user-modify
Create audit report
Use the aureport tool to query and create audit reports based on audit logs.
[root@localhost ~]# aureport
To view a report on attempted authentication:
[root@localhost ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 11/10/2021 23:42:19 root localhost.localdomain tty1 /usr/bin/login yes 81 2. 11/10/2021 23:44:08 root 192.168.43.1 ssh /usr/sbin/sshd yes 111 3. 11/10/2021 23:54:31 root 192.168.43.1 ssh /usr/sbin/sshd yes 76 4. 11/11/2021 00:44:30 root 192.168.43.1 ssh /usr/sbin/sshd yes 81 5. 11/11/2021 00:58:41 root 192.168.43.1 ssh /usr/sbin/sshd yes 131 6. 11/11/2021 01:13:12 root 192.168.43.1 ssh /usr/sbin/sshd no 156
Where no represents authentication failure. yes means the verification is successful.
In this article, you learned how to use auditctl to temporarily define auditd rules and permanently define them in the audit.rules file. Finally, the audit log is searched and the audit report is generated by using ausearch and aureport commands respectively.