How do I configure Linux audit rules to track user activity, file changes, and directory changes on my EC2 Linux instance?
I want to track user activity, file changes, and directory changes on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance.
Short description
The audit daemon (auditd) is the user-space component to the Linux Audit system. Use auditd to track a user or application that accesses or modifies files and directories. You can also use auditd to identify which user runs specific commands.
Resolution
To use auditd to track activity, complete the following steps:
-
Use SSH to connect to your EC2 instance as ec2-user/ubuntu/root user. Replace ubuntu with the username for your Amazon Machine Image (AMI).
-
Install the audit package:
RHEL and CentOS
# sudo yum install audit
SUSE Linux
# sudo zypper install audit
Ubuntu
# sudo apt install auditd
-
Run the auditctl command to create audit rules. Audit rule definitions are in the /etc/audit/audit.rules file. Custom audit rule definitions are in the /etc/audit/rules.d/custom.conf file. These definitions are persistent. You can also implement rules at runtime.
Example rules
Track the user or application that accesses or modifies a certain file or directory:
# sudo auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid\>=500 -F auid\!=-1 -F dir=/root/test/ -F key=delete
Identify which user runs a specific command. In the following example, the command is sudo:
# sudo auditctl -w /bin/sudo -p rwxa -k sudo
This example uses the following syntax list:
-a - Add a new rule.
-w - Insert a watch for the file system object at a specific path, for example, /etc/shadow.
-p - Set permissions filters for a file system.
-k - Set a filter key on an audit rule. The filter key uniquely identifies the audit records that a rule produces.
-F - Use this field to specify additional options such, as architecture, PID, GID, auid, and so on.
-S - Use this field for a system call. This is a name or number.For a complete list of syntax and switches, see auditctl(8) and audit.rules(7) on the die.net Linux man page.
Note: To make sure that your rules persist after a reboot, edit audit.rules, and then add the following rule to the file:
RHEL 6, CentOS 6, or Amazon Linux 1:
#sudo vi /etc/audit/audit.rules -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/test/ -F key=delete -w /bin/sudo -p rwxa -k sudo
RHEL 7, CentOS 7, Amazon Linux 2, or Amazon Linux 2023:
# sudo vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/test/ -F key=delete -w /bin/sudo -p rwxa -k sudo
-
Restart the auditd service. Set the auditd service to run on boot:
# sudo chkconfig auditd on # sudo service auditd start # sudo service auditd stop # sudo service auditd restart
Note: When you restart the auditd service in CentOS and Red Hat Enterprise Linux (RHEL) 7, it's a best practice to use the service command instead of the systemctl command. The systemctl command might cause errors.
-
To read the audit logs, run the ausearch command.
Example audit logs
In the following example, user ec2-user (uid = ec2-user) deleted the file /root/test/example.txt:
# sudo ausearch -i -k delete type=PROCTITLE msg=audit(04/04/20 19:41:51.231:3303) : proctitle=rm -rf /root/test/example.txt type=PATH msg=audit(04/04/20 19:41:51.231:3303) : item=1 name=/root/test/example.txt inode=16777349 dev=ca:01 mode=file,777 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(04/04/20 19:41:51.231:3303) : item=0 name=/tmp/test/ inode=16777328 dev=ca:01 mode=dir,777 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(04/04/20 19:41:51.231:3303) : cwd=/home/ec2-user type=SYSCALL msg=audit(04/04/20 19:41:51.231:3303) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffff9c a1=0xc5f290 a2=0x0 a3=0x165 items=2 ppid=3645 pid=933 auid=ec2-user uid=ec2-user gid=ec2-user euid=ec2-user suid=ec2-user fsuid=ec2-user egid=ec2-user sgid=ec2-user fsgid=ec2-user tty=pts0 ses=1 comm=rm exe=/usr/bin/rm key=delete
In the following example, user ec2-user (uid= 1000) ran the command sudo su - with sudo privilege:
# sudo ausearch -k sudo time->Mon Apr 6 18:33:26 2020 type=PROCTITLE msg=audit(1586198006.631:2673): proctitle=7375646F007375002D type=PATH msg=audit(1586198006.631:2673): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5605 dev=103:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1586198006.631:2673): item=0 name="/usr/bin/sudo" inode=12800710 dev=103:05 mode=0104111 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1586198006.631:2673): cwd="/home/ec2-user" type=EXECVE msg=audit(1586198006.631:2673): argc=3 a0="sudo" a1="su" a2="-" type=SYSCALL msg=audit(1586198006.631:2673): arch=c000003e syscall=59 success=yes exit=0 a0=e8cce0 a1=e8c7b0 a2=e61720 a3=7ffde58ec0a0 items=2 ppid=2658 pid=3726 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4 comm="sudo" exe="/usr/bin/sudo" key="script"
相關內容
- 已提問 10 個月前lg...
- 已提問 6 個月前lg...
- 已提問 6 個月前lg...
- 已提問 4 個月前lg...
- 已提問 1 年前lg...
- AWS 官方已更新 10 個月前
- AWS 官方已更新 8 個月前
- AWS 官方已更新 8 個月前
- AWS 官方已更新 1 年前