3

Many thanks the @Romeo Ninov's help! The mistakes I made are

  • should use file /etc/audit/rules.d/audit.rules to add a rule for RedHat 7 & 8
  • should use service auditd restart to restart auditctl to make the new rule take effect.
  • should use ausearch -k testing to search audit trails.
  • should remove the -a task,never from /etc/audit/rules.d/audit.rules, which uppresses syscall auditing for all tasks started

I added a rule in /etc/audit/rules.d/audit.rules and execute reboot since cannot restart audit by systemctl restart.

root@localhost:~# cat /etc/audit/rules.d/audit.rules
## This set of rules is to suppress the performance effects of the
## audit system. The result is that you only get hardwired events.
-D

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
-a task,never

-w /root/testing/ -p rwxa -k testing

root@localhost:~# systemctl restart auditd.service
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

in some time, the server is up, I ssh log in

root@localhost:~# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Audit Logging Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2024-06-22 17:51:41 CST; 24s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 795 ExecStart=/usr/sbin/auditd (code=exited, status=0/SUCCESS)
   Main PID: 797 (auditd)
      Tasks: 4 (limit: 2257)
     Memory: 2.8M (peak: 3.1M)
        CPU: 24ms
     CGroup: /system.slice/auditd.service
             ├─797 /usr/sbin/auditd
             └─799 /usr/sbin/sedispatch

Jun 22 17:51:41 localhost systemd[1]: Starting auditd.service - Security Audit Logging Service...
Jun 22 17:51:41 localhost auditd[797]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Jun 22 17:51:41 localhost auditd[797]: Init complete, auditd 4.0.1 listening for events (startup state enable)
Jun 22 17:51:41 localhost systemd[1]: Started auditd.service - Security Audit Logging Service.
root@localhost:~# 
root@localhost:~# auditctl -l
-a never,task
-w /root/testing -p rwxa -k testing
root@localhost:~# 

I bar.txt under /root/testing edit foo.txt to add a new line foo.txt in it and delete bar.txt

root@localhost:~/testing# vim bar.txt
root@localhost:~/testing# vim foo.txt
root@localhost:~/testing# rm -f bar.txt
root@localhost:~/testing# cat foo.txt
foo.txt
foo.txt

I expect to get some audit trail in log file, so I can know someone creates and edits files under /root/testing/ folder and a file is deleted, but failed:

root@localhost:~/testing# grep "testing" /var/log/audit/audit.log
type=CONFIG_CHANGE msg=audit(1718981523.208:192): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="testing" list=4 res=1AUID="unset"
type=CONFIG_CHANGE msg=audit(1719049566.384:285): auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=remove_rule key="testing" list=4 res=1AUID="root"
root@localhost:~/testing# 

Many thanks for your help!

1 Answer 1

5

Few points for consider. This do not work for you because audit monitor different folder:

root@localhost:~# auditctl -l
-a never,task
-w /tmp/testing -p rwxa -k testing

Next I am not sure you need -D as first line in audit rules file.

And your rules file is probably in wrong place, set it in:

/etc/audit/rules.d/audit.rules

(this is recommended for RHEL 7,8,9)

And do not forget to restart audit daemon after changing the configuration

systemctl restart auditd.service

P.S. Unfortunately systemctl do not work for audit daemon so restart should be done via:

service auditd restart

And answering you concern - it work and add records for edit, remove, etc: I added rule like this:

auditctl -w /root/test/ -p rwxa -k testing

and the result is

[root@rh9-1 test]# ausearch -k testing
----
<snip>
----
time->Sat Jun 22 15:26:50 2024
type=PROCTITLE msg=audit(1719059210.373:105): proctitle=726D002D690062
type=PATH msg=audit(1719059210.373:105): item=1 name="b" inode=656718 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unlabeled nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1719059210.373:105): item=0 name="/root/test" inode=655414 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719059210.373:105): cwd="/root/test"
type=SYSCALL msg=audit(1719059210.373:105): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5570b6183630 a2=0 a3=20 items=2 ppid=1266 pid=1355 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/usr/bin/rm" subj=kernel key="testing"

This above remove the file, named b from directory /root/test

3
  • Hi Romeo, Many thanks for your help! I added the rule to the better location and retried just now. Unfortunately, I am still unable to find valuable logs. I have updated the question, could you please help to take a look? Commented Jun 22 at 10:03
  • @ildvzg68472, please check my edited answer Commented Jun 22 at 12:38
  • 1
    Many thanks @Romeo Ninov! following your advice and comment out -a task,never in /etc/audit/rules.d/audit.rules. I can get the valuable logs! Commented Jun 22 at 14:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .