Solved

Analyzing Audit Log  - Redhat

Posted on 2013-01-15
36
630 Views
Last Modified: 2013-03-19
I have noticed some one changed the permission for files under /etc. How can i find out when was it changed and who changed.

I have audit.log but how do I search it?

Can some one help to dive this.

I noticed these commands but never used them.

auditctl
ausearch
aureport
0
Comment
Question by:ittechlab
  • 20
  • 16
36 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
If you know the filenames of the changed files you can try this for every filename:

ausearch --file filename

This will search in today's logs.

To begin the search at an earlier or later time add

--start start_spec

where start_spec can be a time/date specification according to your locale setting or  now, recent, today, yesterday, this-week, this-month, this-year.

Likewise, you can specify an end time, by adding "--end" followed by the same format or keywords as "--start".

Add "--input file-name" to search in a logfile which is in a non-statndard location, or use "--input-logs" to search the logs whose locations are specified in auditd.conf.
0
 

Author Comment

by:ittechlab
Comment Utility
I was looking the file permission of /etc/crontab on two different servers and i can see that some one changed the permission on server2. When I run ausearch command It does not see any match. Please advise.

[root@server1]# ls -l /etc/crontab
-rw-r-----  1 root root 255 Sep 20  2004 /etc/crontab

[root@server2]# ls -l /etc/crontab
-rwxr-xr-x 1 root root 255 Jul 15  2006 /etc/crontab

[root@server2]# ausearch --file /etc/crontab
<no matches>
0
 

Author Comment

by:ittechlab
Comment Utility
I want to search from Oct 21 2012 to now.  How can i do that?


[root@server2]# ausearch --start oct21 --file /etc/crontab
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Your command searches just in today's logs!

Add something like

--start this-month

to search the whole month's worth of log data.
0
 

Author Comment

by:ittechlab
Comment Utility
This month i don't see any matches. lets say if i want to try oct 2012. How do i add this
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
I saw your second comment too late.

The format of --start depends on your locale.

For  en_US.utf8  it should look like this:

--start 10/21/2012
0
 

Author Comment

by:ittechlab
Comment Utility
i got <no matches>
must be some thing missing.

i tried to crate a test file and chmod a file then did ausearch is not working, why
0
 

Author Comment

by:ittechlab
Comment Utility
[root@server2 tmp]# touch file1
[root@server2 tmp]# ls -l file1
-rw-r----- 1 root root 0 Jan 15 14:39 file1
[root@server2 tmp]# chmod 755 file1
[root@server2 tmp]# ls -l file1
-rwxr-xr-x 1 root root 0 Jan 15 14:39 file1
[root@server2 tmp]# ausearch --file /tmp/file1
<no matches>
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Try without the path, just the filename.

As for your test file - audit records are flushed to disk according to the flush and freq settings in auditd.conf.

Only with "flush sync" your logfile will be always up to date.
0
 

Author Comment

by:ittechlab
Comment Utility
[root@server2 tmp]# ausearch --start this-month --file file1
<no matches>
[root@server2 tmp]# ausearch --file file1
<no matches>
0
 

Author Comment

by:ittechlab
Comment Utility
Only with "flush sync" your logfile will be always up to date

is it command flush sync?
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
No, it's a setting in auditd.conf, as I wrote above.
0
 

Author Comment

by:ittechlab
Comment Utility
how do I force the update so it will be in sync.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Please look at /etc/audit.rules

Is /tmp under audit? If it isn't, you will never see your action in ausearch.

What's under audit anyway?
0
 

Author Comment

by:ittechlab
Comment Utility
[root@server2 adm]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b32 -S execve -F uid=0
-a exit,always -F arch=b32 -S execve -F euid=0
-a exit,always -F arch=b64 -S execve -F uid=0
-a exit,always -F arch=b64 -S execve -F euid=0

does it mean /etc is not audited here? as well as /tmp?
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
This means that you're auditing the 32bit and 64bit "execve" syscalls, but only for the userid "0" which is root.

"execve" is basically "program execution", so your above rules constitute auditing of any program executed by root, but no specific file/filesystem watch.

So it's normal that "--file xxx" doesn't yield any result.

You could try "--word crontab" or "--word /etc/crontab" to perform a string search.

If you can guess the command used you can also try "--comm command" or "--executable programname"
0
 

Author Comment

by:ittechlab
Comment Utility
if i have file under /tmp will it work according to this rules?

[root@server2 tmp]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b32 -S execve -F uid=0
-a exit,always -F arch=b32 -S execve -F euid=0
-a exit,always -F arch=b64 -S execve -F uid=0
-a exit,always -F arch=b64 -S execve -F euid=0
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Only for root and not with "--file". Maybe with "--word".
See my last comment.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ittechlab
Comment Utility
i am getting unsupported option.

[root@server2 tmp]# ausearch --word /tmp/file1
/tmp/file1 is an unsupported option
0
 

Author Comment

by:ittechlab
Comment Utility
[root@server2 tmp]# ausearch --word file1
file1 is an unsupported option
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Sorry,

"--word" is indeed the wrong option.

I think you should run

aureport -f

This will show all events of today related to files.

Is there anything useful at all?

See "man aureport" to learn what other types of filters you can set.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
... and if there is information about files in "aureport -f" try the pedestrian way:

aureport -f --start 10/21/2012  | grep crontab

or even

aureport --start 10/21/2012  | grep crontab
0
 

Author Comment

by:ittechlab
Comment Utility
please see below.  I am not getting any output.

[root@server1 tmp]# aureport -f  | grep file1
[root@server1 tmp]# ls -l file1
-rwxrwxrwx 1 root root 15 Jan 15 15:00 file1
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Do you see anything at all with just "aureport"?

Are you sure that auditd is running?
0
 

Author Comment

by:ittechlab
Comment Utility
Let me check it
0
 

Author Comment

by:ittechlab
Comment Utility
I am replicating on another machine. same issue.

[root@desktop5 tmp]# aureport -f  | grep file1
[root@desktop5 tmp]#


auditd is running

[root@desktop5 tmp]# ps -ef | grep auditd
root       406     2  0 Jan06 ?        00:00:00 [kauditd]
root      2201     1  0 Jan06 ?        00:00:00 auditd
root      4253  3465  0 18:53 pts/4    00:00:00 grep auditd

please let me know if this rule is ok on this machine.

[root@desktop5 tmp]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page


Let me know what else i need to check. Since i was out of office i am trying on another machine to replicate this issue.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Please run

aureport

and

aureport -f

We definitely must make sure that there's something (whatever) in your logs before we can continue.
0
 

Author Comment

by:ittechlab
Comment Utility
[root@ulvnccd01 ~]#
[root@server1~]# aureport

Summary Report
======================
Range of time in logs: 01/15/2013 18:17:01.404 - 01/16/2013 08:08:56.758
Selected time for report: 01/15/2013 18:17:01 - 01/16/2013 08:08:56.758
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 4
Number of failed logins: 0
Number of authentications: 7
Number of failed authentications: 0
Number of users: 4
Number of terminals: 7
Number of host names: 6
Number of executables: 73
Number of files: 169
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 3113
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 8
Number of keys: 0
Number of process IDs: 18706
Number of events: 31167
0
 

Author Comment

by:ittechlab
Comment Utility
when i run aureport -f i do see the binary only. I don't see the file names such as crontab or my test file file1.
0
 

Author Comment

by:ittechlab
Comment Utility
Here is what i am looking for, lets say some one changed a permission on file or directory and you want to find out who did and when did it happen.

can we create a test case for this.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
What do you mean with "binary" ?  The "touch" command?

You can check for all messages related to a particular event.

With "aureport -f" you should have seen a prefix for every message consisting of a Unix timestamp, a colon (:) and an event-id (example 1234), like

1358342152.987:1234

Feed the event-id (example: 1234) to aureport to see all releated messages:

aureport -a 1234

If you don't find anything useful there isn't sufficient granularity in yout audit setup.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
As for the test case:

In order to get a detailed audit of file accesses you could set up a
file or directory watch.

Let's say you want to audit all file/directory writes and attribute changes by all users under the /etc directory tree.

So add this to /etc/audit/audit.rules:

-a exit,always -F dir=/etc -F perm=wa

To make it also work immediately issue on the command line as root

auditctl -a exit,always  -F dir=/etc -F perm=wa

Check that the /etc/audit/auditd.conf file contains

flush sync

If it doesn't then change accordingly and restart auditd.

Now change the permission of a file in /etc, then change it back, so that at the end the file remains as it was. Example:

chmod o+w /etc/hosts
chmod o-w /etc/hosts

Run aureport to check the result.
0
 

Author Comment

by:ittechlab
Comment Utility
its all commands i see.

I am trying to search by file name.  How do i know which file was changed by chown?

[root@server2~]# aureport -f | grep chmod
449. 01/15/2013 23:00:01 /bin/chmod 59 yes /bin/chmod 0 2138489
451. 01/15/2013 23:00:01 /bin/chmod 59 yes /bin/chmod 0 2138495
7927. 01/16/2013 04:02:03 /bin/chmod 59 yes /bin/chmod 0 2147885
7971. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147910
7993. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147932
7997. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147936
8001. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147940
8005. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147944
8030. 01/16/2013 04:02:16 /bin/chmod 59 yes /bin/chmod 0 2147970
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
ausearch -a 2147970

(for example)

If you don't get the desired info please see my previous comment.
0
 

Author Comment

by:ittechlab
Comment Utility
[root@server2~]# aureport -a 2147970
2147970 is an unsupported option
usage: aureport [options]
        -a,--avc                        Avc report
        -au,--auth                      Authentication report
        -c,--config                     Config change report
        -cr,--crypto                    Crypto report
        -e,--event                      Event report
        -f,--file                       File name report
        --failed                        only failed events in report
        -h,--host                       Remote Host name report
        --help                          help
        -i,--interpret                  Interpretive mode
        -if,--input <Input File name>   use this file as input
        --input-logs                    Use the logs even if stdin is a pipe
        -l,--login                      Login report
        -k,--key                        Key report
        -m,--mods                       Modification to accounts report
        -ma,--mac                       Mandatory Access Control (MAC) report
        --node <node name>              Only events from a specific node
        -n,--anomaly                    aNomaly report
        -p,--pid                        Pid report
        -r,--response                   Response to anomaly report
        -s,--syscall                    Syscall report
        --success                       only success events in report
        --summary                       sorted totals for main object in report
        -t,--log                        Log time range report
        -te,--end [end date] [end time] ending date & time for reports
        -tm,--terminal                  TerMinal name report
        -ts,--start [start date] [start time]   starting data & time for reports
        --tty                           Report about tty keystrokes
        -u,--user                       User name report
        -v,--version                    Version
        -x,--executable                 eXecutable name report
        If no report is given, the summary report will be displayed
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
Comment Utility
Sorry, I was in a hurry and confused aureport and ausearch.

ausearch -a 2147970
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now