Using auditd to Record File Changes (Linux)

The auditd is a user-space component of the Linux audit system. It records operation logs, including file read/write and invoking records, in the OS, which can be used for audit if a fault occurs. This section uses CentOS 7.4 64bit as an example to describe how to install and configure auditd.

auditd-related Tool Commands and Configuration Files

Tool commands:

auditctl: controls the audit daemon in real time, such as adding rules.
aureport: checks and generates audit reports.
ausearch: searches for audit events.
auditspd: forwards event notifications to other applications instead of writing them to audit logs.
autrace: traces processes.

Configuration files:

/etc/audit/auditd.conf: specifies configuration file of auditd.
/etc/audit/rules.d/audit.rules: contains audit rules.
/etc/audit/audit.rules: records audit rules.

Procedure

Installing auditd

Run the following command to install auditd:
yum install -y auditd*

After auditd is installed for the first time, there are no audit rules by default. You can run the sudo auditctl -l command to query the audit rules.
Run the following command to check the runtime status of auditd:
service auditd status

Figure 1 Runtime status

Configuring audit rules

Run the following command to configure the monitoring file and change the directory:
auditctl -w /etc/passwd -p rwxa

where:
- -w: specifies the file path to be monitored. The preceding command specifies the monitored file path /etc/passwd.
- -p: specifies the access permission of the file or directory that triggers the audit.
- rwxa: specifies trigger conditions. r indicates the read permission, w the write permission, x the execution permission, and a the attribute.
Run the following commands to audit all accesses to /production:
mkdir production

auditctl -w /production/
Run the following command to check configured rules:
auditctl -l
```
-w /etc/passwd -p rwxa
-w /production -p rwxa
```
After rules are added, run the following command to check the audit log:
ausearch -f /etc/passwd

Figure 2 Checking the audit log

Figure 2 shows that the file is not modified. The parameters are described as follows:
- time: audit time
- name: audit object
- cwd: current path
- syscall: related system calls
- auid: ID of the audited user
- uid and gid: user ID and user group ID for accessing a file
- comm: command for a user to access a file
- exe: file path where the preceding command can be executed
Run the following command to add a user test to the monitoring file:
useradd test
Run the following command to check the audit log again:
ausearch -f /etc/passwd

Figure 3 Checking the audit log again

Figure 3 shows that /etc/passwd is modified by user root (uid=0, gid=0) in the /root directory at a specified time. The /etc/passwd file is accessed from /usr/bin/sudo.
Run the following command to check whether the audit log contains any content:
ausearch -f /production
Run the following commands to change the directory permissions as user root and check the audit log again:
chmod -R 777 /test/

ausearch -f /test/
Run the following command to view the audit report:
aureport

Figure 4 Viewing the audit report
Run the following command to view the authorization failure details:
aureport -au

Figure 5 Viewing authorization failure details
Run the following command to view all events related to account modifications:
aureport -m

Figure 6 Viewing account modification events
(Optional) Run the following commands to clear the defined rules:
auditctl -D

auditctl -l

Figure 7 Clearing defined rules