I want to enforce my security policies, so my desiderata is to log everything a root use does on a Linux server. Linux kernel contains a feature called Linux Audit Framework, which is obviously a framework to allow auditing events on a system.
It seems like it could serve our purpose. Let’s dig in.
Enable Linux Audit Framework
Linux Audit Framework is already enabled in recent kernels, so your Linux distro should already be compatible. You just need to ensure you have auditd installed and running. Auditd is the responsible for audit data collection, which is stored in /var/log/auditd.log.
In Ubuntu, you can install it using the following command, which also installs related useful tools:
sudo apt install auditd
The main tools you will need are: auditctl (the auditd client) and ausearch (the event viewer client).
The framework also includes the following tools: audispd, aureport, autrace, aulast, aulastlog, ausyscall, auvirt.
Enable root execve syscall logging
Our main objective is to monitor the execve syscall, whenever the effective UID (user ID) is 0 (root). This allows us to log both root shells and sudo commands.
auditctl -a exit,always -F euid=0 -F arch=b64 -S execve -k root-exevce
auditctl -a exit,always -F euid=0 -F arch=b32 -S execve -k root-exevce
These commands will:
- set a rule which applies at the exit of the syscall, with always policy
- filter for effective UID equal to 0
- filter for binary architecture (one row for 64 bit syscalls, one for 32 bit syscalls)
- filter for syscall execve
- tag events as root-commands
Enable stricter root actions logging
If we want to enforce logging to all actions involving root, we could use a permission-based filter as follows:
auditctl -a exit,always -F euid=0 -F perm=awx -S all -k root-actions
The logic is the same above, but we enable a filter on permissions and enable a wildcard on the syscalls. In this case, we are logging:
- command executions
- file writing
- file attribute changes
Take a look to man auditctl to discover all Linux Audit Framework capabilities.
List rules
You can list rules using:
auditctl -l
Delete a rule or all rules
You can delete a rule using -d instead of -a, followed by the full input of the rule.
You can also clear rules with:
auditctl -D
Using the event viewer: ausearch
If you are looking for an event, you can use ausearch.
ausearch -k TAG_NAME
TAG_NAME is root-execve or root-actions, as we defined before.
ausearch command is quite complex, so take a look to its man page.