Skip to content

Instantly share code, notes, and snippets.

@MEhrn00

MEhrn00/telemetry.md

Created December 18, 2024 05:16
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MEhrn00/84637114a81660e1ae4efd978c041329 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MEhrn00/84637114a81660e1ae4efd978c041329 to your computer and use it in GitHub Desktop.
Download ZIP
List of examples for collecting telemetry from various telemetry categories with auditd.
Raw
telemetry.md

Telemetry

Test Environment

OS: Rocky Linux 9.5 Kernel: 5.14 Auditctl: version 3.1.5

Process Activity

Process Termination

Rules for monitoring the exit, exit_group and kill syscalls can be used to monitor process termination.

-a always,exit -F arch=b64 -S exit,exit_group -k process_termination
-a always,exit -F arch=b32 -S exit,exit_group -k process_termination

-a always,exit -F arch=b64 -S kill -k process_termination
-a always,exit -F arch=b32 -S exit,exit_group -k process_termination

$ sleep 5
$ sudo ausearch -i -k process_termination
----
type=PROCTITLE msg=audit(12/17/2024 21:00:55.127:1365) : proctitle=sleep 5
type=SYSCALL msg=audit(12/17/2024 21:00:55.127:1365) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0xffffffffffffff88 a2=0xe7 a3=0x7ffeed6183c0 items=0 ppid=2380 pid=2413 auid=myallow_a@ad.xnet.corp uid=myallow_a@ad.xnet.corp gid=myallow_a@ad.xnet.corp euid=myallow_a@ad.xnet.corp suid=myallow_a@ad.xnet.corp fsuid=myallow_a@ad.xnet.corp egid=myallow_a@ad.xnet.corp sgid=myallow_a@ad.xnet.corp fsgid=myallow_a@ad.xnet.corp tty=pts1 ses=5 comm=sleep exe=/usr/bin/sleep subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=process_termination

$ sleep 30 &
[1] 2435
$ kill 2435
$ sudo ausearch -i -k process_termination
type=PROCTITLE msg=audit(12/17/2024 21:03:25.116:1399) : proctitle=-sh
type=OBJ_PID msg=audit(12/17/2024 21:03:25.116:1399) : opid=2435 oauid=myallow_a@ad.xnet.corp ouid=myallow_a@ad.xnet.corp oses=5 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sleep
type=SYSCALL msg=audit(12/17/2024 21:03:25.116:1399) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x983 a1=SIGTERM a2=0x0 a3=0x7fb4bcb9eac0 items=0 ppid=2379 pid=2380 auid=myallow_a@ad.xnet.corp uid=myallow_a@ad.xnet.corp gid=myallow_a@ad.xnet.corp euid=myallow_a@ad.xnet.corp suid=myallow_a@ad.xnet.corp fsuid=myallow_a@ad.xnet.corp egid=myallow_a@ad.xnet.corp sgid=myallow_a@ad.xnet.corp fsgid=myallow_a@ad.xnet.corp tty=pts1 ses=5 comm=sh exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=process_termination

The process termination event with kill includes an OBJ_PID record type with additional context around the killed process.

User Activity

The /etc/auditd.conf file contains a configuration key named local_events

man 5 auditd.conf

This yes/no keyword specifies whether or not to include local events. Normally you want local events so the default value is yes. Cases where you would set this to no is when you want to aggregate events only from the network. At the moment, this is useful if the audit daemon is running in a container. This option can only be set once at daemon start up. Reloading the config file has no effect.

Setting this option to yes will enable logging of system event record types https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types#sec-Audit_Record_Types. This option is required for recording user activity.

User Logon

Record types

  • CRED_ACQ
  • GRP_AUTH
  • LOGIN
  • USER_LOGIN
  • USER_START

Search filter for logon events

ausearch -i -m CRED_ACQ,GRP_AUTH,LOGIN,USER_LOGIN,USER_START

SSH

Example events for an SSH logon

$ ausearch -i -m CRED_ACQ,LOGIN,USER_LOGIN,USER_START
----
type=CRED_ACQ msg=audit(12/17/2024 21:29:59.811:1705) : pid=2680 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct=xnetad\myallow_a exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=success'
----
type=LOGIN msg=audit(12/17/2024 21:29:59.811:1706) : pid=2680 uid=root subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=myallow_a@ad.xnet.corp tty=(none) old-ses=4294967295 ses=8 res=yes
----
type=CRED_ACQ msg=audit(12/17/2024 21:29:59.866:1711) : pid=2684 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct=myallow_a@ad.xnet.corp exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed'
----
type=LOGIN msg=audit(12/17/2024 21:29:59.867:1713) : pid=2684 uid=root subj=system_u:system_r:init_t:s0 old-auid=unset auid=myallow_a@ad.xnet.corp tty=(none) old-ses=4294967295 ses=9 res=yes
----
type=USER_START msg=audit(12/17/2024 21:29:59.875:1714) : pid=2684 uid=root auid=myallow_a@ad.xnet.corp ses=9 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_umask,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct=myallow_a@ad.xnet.corp exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success'
----
type=USER_START msg=audit(12/17/2024 21:30:00.029:1723) : pid=2680 uid=root auid=myallow_a@ad.xnet.corp ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct=xnetad\myallow_a exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=success'
----
type=CRED_ACQ msg=audit(12/17/2024 21:30:00.031:1725) : pid=2694 uid=root auid=myallow_a@ad.xnet.corp ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct=xnetad\myallow_a exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=success'
----
type=USER_LOGIN msg=audit(12/17/2024 21:30:00.083:1726) : pid=2680 uid=root auid=myallow_a@ad.xnet.corp ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=? addr=10.20.11.101 terminal=/dev/pts/1 res=success'
----
type=USER_START msg=audit(12/17/2024 21:30:00.083:1727) : pid=2680 uid=root auid=myallow_a@ad.xnet.corp ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=? addr=10.20.11.101 terminal=/dev/pts/1 res=success'

The auid or acct field contains the logon username.

Sudo

Example events for a sudo logon

----
type=USER_START msg=audit(12/17/2024 22:05:56.667:2050) : pid=2933 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct=admin exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/1 res=success'

The audit user (auid) myallow_a@ad.xnet.corp opened a new session under the account (acct) admin.

Local Session

Example events for a local logon session without sudo

----
type=CRED_ACQ msg=audit(12/17/2024 22:08:21.407:2101) : pid=2973 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct=localadmin exe=/usr/bin/su hostname=? addr=? terminal=/dev/pts/1 res=success'
----
type=USER_START msg=audit(12/17/2024 22:08:21.411:2102) : pid=2973 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_xauth acct=localadmin exe=/usr/bin/su hostname=? addr=? terminal=/dev/pts/1 res=success'

Audit user (auid) myallow_a@ad.xnet.corp logged into account (acct) localadmin.

User Logoff

Record types

  • CRED_DISP
  • USER_END
  • USER_LOGOUT

Search filter for logoff events

ausearch -i -m CRED_DISP,USER_END,USER_LOGOUT

SSH

Example events of a user logging out of an SSH session

----
type=USER_END msg=audit(12/17/2024 22:12:34.941:2144) : pid=2856 uid=root auid=myallow_a@ad.xnet.corp ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=? addr=? terminal=/dev/pts/1 res=success'
----
type=USER_LOGOUT msg=audit(12/17/2024 22:12:34.941:2145) : pid=2856 uid=root auid=myallow_a@ad.xnet.corp ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=? addr=? terminal=/dev/pts/1 res=success'
----
type=USER_END msg=audit(12/17/2024 22:12:34.947:2149) : pid=2856 uid=root auid=myallow_a@ad.xnet.corp ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct=xnetad\myallow_a exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=success'
----
type=CRED_DISP msg=audit(12/17/2024 22:12:34.948:2150) : pid=2856 uid=root auid=myallow_a@ad.xnet.corp ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct=xnetad\myallow_a exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=success'

Sudo

Example events of a user logging out of a sudo session.

----
type=USER_END msg=audit(12/17/2024 22:15:28.799:2312) : pid=3106 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct=root exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/1 res=success'
----
type=CRED_DISP msg=audit(12/17/2024 22:15:28.800:2313) : pid=3106 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct=root exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/1 res=success'

Audit user (auid) myallow_a@ad.xnet.corp logged out of account (acct) root.

Logon Failed

Record types

  • USER_AUTH

USER_AUTH record types where the res field is equal to "failed"

Search filter

ausearch -i -m USER_AUTH -sv no

SSH

Failed password authentication event

----
type=USER_AUTH msg=audit(12/17/2024 21:53:02.426:1856) : pid=2791 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=10.20.11.101 addr=10.20.11.101 terminal=ssh res=failed'

Ctrl-C cancel event

----
type=USER_AUTH msg=audit(12/17/2024 21:53:05.083:1859) : pid=2789 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=challenge-response acct=myallow_a@ad.xnet.corp exe=/usr/sbin/sshd hostname=? addr=10.20.11.101 terminal=ssh res=failed'

Local Session

Local failed logon event

----
type=USER_AUTH msg=audit(12/17/2024 22:20:42.053:2332) : pid=3144 uid=myallow_a@ad.xnet.corp auid=myallow_a@ad.xnet.corp ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct=admin exe=/usr/bin/su hostname=? addr=? terminal=/dev/pts/1 res=failed'

Audit user (auid) myallow_a@ad.xnet.corp failed to login to account (acct) admin

Scheduled Task Activity

Scheduled tasks are recorded via cron and systemd. All of the scheduled task information can be monitored through their configuration files.

Scheduled Task

Cron

The crontab is stored under /var/spool/cron/[username] by default. Monitoring this directory for changes will monitor scheduled tasks for cron.

-a always,exit -F arch=b64 -F path=/var/spool/cron -F perm=w -k scheduled_task_modify
-a always,exit -F arch=b32 -F path=/var/spool/cron -F perm=w -k scheduled_task_modify

Example events

$ ausearch -i -k scheduled_task_modify
----
type=PROCTITLE msg=audit(12/17/2024 22:46:41.200:2431) : proctitle=crontab -e
type=PATH msg=audit(12/17/2024 22:46:41.200:2431) : item=3 name=/var/spool/cron/localadmin inode=67735181 dev=fd:00 mode=file,600 ouid=localadmin ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:46:41.200:2431) : item=2 name=/var/spool/cron/#tmp.morpheus.ipa.xnet.corp.XXXXXsC0YW inode=67735181 dev=fd:00 mode=file,600 ouid=localadmin ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:46:41.200:2431) : item=1 name=/var/spool/cron/ inode=67735224 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:user_cron_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:46:41.200:2431) : item=0 name=/var/spool/cron/ inode=67735224 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:user_cron_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/17/2024 22:46:41.200:2431) : cwd=/home/localadmin
type=SYSCALL msg=audit(12/17/2024 22:46:41.200:2431) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x5573757bd200 a1=0x7ffd85b96170 a2=0x7ffd85b9618a a3=0x7f05b93f9c80 items=4 ppid=3324 pid=3415 auid=localadmin uid=localadmin gid=localadmin euid=root suid=root fsuid=root egid=localadmin sgid=localadmin fsgid=localadmin tty=pts2 ses=14 comm=crontab exe=/usr/bin/crontab subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=scheduled_task_modify
----
type=PROCTITLE msg=audit(12/17/2024 22:48:43.639:2434) : proctitle=crontab -e
type=PATH msg=audit(12/17/2024 22:48:43.639:2434) : item=1 name=/var/spool/cron/#tmp.morpheus.ipa.xnet.corp.XXXX2yXaQo inode=67735186 dev=fd:00 mode=file,600 ouid=root ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:48:43.639:2434) : item=0 name=/var/spool/cron/ inode=67735224 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:user_cron_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/17/2024 22:48:43.639:2434) : cwd=/home/localadmin
type=SYSCALL msg=audit(12/17/2024 22:48:43.639:2434) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x559d24d93200 a2=O_RDWR|O_CREAT|O_EXCL a3=0x180 items=2 ppid=3324 pid=3422 auid=localadmin uid=localadmin gid=localadmin euid=root suid=root fsuid=root egid=localadmin sgid=localadmin fsgid=localadmin tty=pts2 ses=14 comm=crontab exe=/usr/bin/crontab subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=scheduled_task_modify
----
type=PROCTITLE msg=audit(12/17/2024 22:48:43.647:2435) : proctitle=crontab -e
type=PATH msg=audit(12/17/2024 22:48:43.647:2435) : item=4 name=/var/spool/cron/localadmin inode=67735186 dev=fd:00 mode=file,600 ouid=localadmin ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:48:43.647:2435) : item=3 name=/var/spool/cron/localadmin inode=67735181 dev=fd:00 mode=file,600 ouid=localadmin ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:48:43.647:2435) : item=2 name=/var/spool/cron/#tmp.morpheus.ipa.xnet.corp.XXXX2yXaQo inode=67735186 dev=fd:00 mode=file,600 ouid=localadmin ogid=localadmin rdev=00:00 obj=unconfined_u:object_r:user_cron_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:48:43.647:2435) : item=1 name=/var/spool/cron/ inode=67735224 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:user_cron_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/17/2024 22:48:43.647:2435) : item=0 name=/var/spool/cron/ inode=67735224 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:user_cron_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/17/2024 22:48:43.647:2435) : cwd=/home/localadmin
type=SYSCALL msg=audit(12/17/2024 22:48:43.647:2435) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x559d24d93200 a1=0x7ffd3c2adf20 a2=0x7ffd3c2adf3a a3=0x7f07e2df9c80 items=5 ppid=3324 pid=3422 auid=localadmin uid=localadmin gid=localadmin euid=root suid=root fsuid=root egid=localadmin sgid=localadmin fsgid=localadmin tty=pts2 ses=14 comm=crontab exe=/usr/bin/crontab subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=scheduled_task_modify

The crontab -e command will execute 3 syscalls. It will use rename to rename the crontab file to a temporary file, openat to open the temporary file, and then rename again to rename it back to the original file name when finished.

Because of this, the crontab cannot effectively be monitored for creation or deletion without additional context.

User Account Activity

The local_events field needs to be set to yes in the auditd.conf file for logging user account activity.

User Account Created

Record types

  • ADD_USER

Filter

ausearch -i -m ADD_USER

Example event

----
type=ADD_USER msg=audit(12/17/2024 23:01:29.005:2464) : pid=3588 uid=root auid=myallow_a@ad.xnet.corp ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=test-user exe=/usr/sbin/useradd hostname=morpheus.ipa.xnet.corp addr=? terminal=pts/1 res=success'

User accounts can also be created via directly modifying /etc/passwd, /etc/shadow and /etc/group. These files can be monitored for any processes acquiring write access to them.

User Account Modified

Record types

  • CHUSER_ID
  • ROLE_ASSIGN
  • ROLE_REMOVE
  • USER_ACCT
  • USER_CHAUTHTOK
  • USER_ROLE_CHANGE

Filter

ausearch -i -m CHUSER_ID,ROLE_ASSIGN,ROLE_REMOVE,USER_ACCT,USER_CHAUTHTOK,USER_ROLE_CHANGE

Many of these record types are related to SELinux so they may not be useful to systems without it.

Example events for password changes

----
type=USER_CHAUTHTOK msg=audit(12/17/2024 23:11:23.827:2479) : pid=3620 uid=root auid=myallow_a@ad.xnet.corp ses=12 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=test-user exe=/usr/bin/passwd hostname=morpheus.ipa.xnet.corp addr=? terminal=pts/1 res=success'

Audit user (auid) myallow_a@ad.xnet.corp changed the password for account (acct) test-user. The auid field will keep the original user context during sessions changes via sudo or su.

User account modification can also be monitored through watching for writes to the /etc/passwd, /etc/shadow and /etc/group files.

User Account Deleted

Record types

  • DEL_USER

Filter

ausearch -i -m DEL_USER

Example event

----
type=DEL_USER msg=audit(12/17/2024 23:19:20.794:2498) : pid=3690 uid=root auid=localadmin ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=test-user exe=/usr/sbin/userdel hostname=morpheus.ipa.xnet.corp addr=? terminal=pts/2 res=success'

Audit user (auid) localadmin deleted user id (id) test-user

Service Activity

Systemd services are defined in various files on the file system. Service monitoring can be done through monitoring changes to these files.

The systemd service file locations can be found in man 5 systemd.unit

   System Unit Search Path
       /etc/systemd/system.control/*
       /run/systemd/system.control/*
       /run/systemd/transient/*
       /run/systemd/generator.early/*
       /etc/systemd/system/*
       /etc/systemd/system.attached/*
       /run/systemd/system/*
       /run/systemd/system.attached/*
       /run/systemd/generator/*
       ...
       /usr/lib/systemd/system/*
       /run/systemd/generator.late/*

   User Unit Search Path
       ~/.config/systemd/user.control/*
       $XDG_RUNTIME_DIR/systemd/user.control/*
       $XDG_RUNTIME_DIR/systemd/transient/*
       $XDG_RUNTIME_DIR/systemd/generator.early/*
       ~/.config/systemd/user/*
       $XDG_CONFIG_DIRS/systemd/user/*
       /etc/systemd/user/*
       $XDG_RUNTIME_DIR/systemd/user/*
       /run/systemd/user/*
       $XDG_RUNTIME_DIR/systemd/generator/*
       $XDG_DATA_HOME/systemd/user/*
       $XDG_DATA_DIRS/systemd/user/*
       ...
       /usr/lib/systemd/user/*
       $XDG_RUNTIME_DIR/systemd/generator.late/*

Service Modification

Auditd path watch rules

-a always,exit -F arch=b64 -F path=/etc/systemd/system -F perm=w -k system_service_modification
-a always,exit -F arch=b32 -F path=/etc/systemd/system -F perm=w -k system_service_modification

-a always,exit -F arch=b64 -F path=/run/systemd/system -F perm=w -k system_service_modification
-a always,exit -F arch=b32 -F path=/run/systemd/system -F perm=w -k system_service_modification

-a always,exit -F arch=b64 -F path=/usr/lib/systemd/system -F perm=w -k system_service_modification
-a always,exit -F arch=b32 -F path=/usr/lib/systemd/system -F perm=w -k system_service_modification

-a always,exit -F arch=b64 -F path=/etc/systemd/user -F perm=w -k user_service_modification
-a always,exit -F arch=b32 -F path=/etc/systemd/user -F perm=w -k user_service_modification

-a always,exit -F arch=b64 -F path=/run/systemd/user -F perm=w -k user_service_modification
-a always,exit -F arch=b32 -F path=/run/systemd/user -F perm=w -k user_service_modification

-a always,exit -F arch=b64 -F path=/usr/lib/systemd/user -F perm=w -k user_service_modification
-a always,exit -F arch=b32 -F path=/usr/lib/systemd/user -F perm=w -k user_service_modification

Note about the local_events configuration option

When the local_events option is set to no, auditd will only record record types relating to syscalls and file paths. All of the other record types will be disabled.

Auditd features what are known as "Hard Wired Events". These events are baked into the daemon and will always be logged unless explicitly filtered out. The various record types for these events are outlined here https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types#sec-Audit_Record_Types.

The majority of the events outlined above are enabled by default if this configuration option is enabled.

From the man 7 audit.rules page.

HARD WIRED EVENTS
       If  auditing  is enabled, then you can get any event that is not caused by syscall or file watch rules (because you don't have any rules loaded). So, that means, any event from 1100-1299, 1326, 1328, 1331 and higher can be emitted. The reason that there are a number
       of events that are hardwired is because they are required by regulatory compliance and are sent automatically as a convenience. (For example, logon/logoff is a mandatory event in all security guidance.) If you don't want this, you can use the exclude filter to  drop
       events that you do not want.

       -a always,exclude -F msgtype=CRED_REFR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment