Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 956
  • Last Modified:

Analyzing Audit Log - Redhat

I have noticed some one changed the permission for files under /etc. How can i find out when was it changed and who changed.

I have audit.log but how do I search it?

Can some one help to dive this.

I noticed these commands but never used them.

auditctl
ausearch
aureport
0
ittechlab
Asked:
ittechlab
  • 20
  • 16
1 Solution
 
woolmilkporcCommented:
If you know the filenames of the changed files you can try this for every filename:

ausearch --file filename

This will search in today's logs.

To begin the search at an earlier or later time add

--start start_spec

where start_spec can be a time/date specification according to your locale setting or  now, recent, today, yesterday, this-week, this-month, this-year.

Likewise, you can specify an end time, by adding "--end" followed by the same format or keywords as "--start".

Add "--input file-name" to search in a logfile which is in a non-statndard location, or use "--input-logs" to search the logs whose locations are specified in auditd.conf.
0
 
ittechlabLinux SupportAuthor Commented:
I was looking the file permission of /etc/crontab on two different servers and i can see that some one changed the permission on server2. When I run ausearch command It does not see any match. Please advise.

[root@server1]# ls -l /etc/crontab
-rw-r-----  1 root root 255 Sep 20  2004 /etc/crontab

[root@server2]# ls -l /etc/crontab
-rwxr-xr-x 1 root root 255 Jul 15  2006 /etc/crontab

[root@server2]# ausearch --file /etc/crontab
<no matches>
0
 
ittechlabLinux SupportAuthor Commented:
I want to search from Oct 21 2012 to now.  How can i do that?


[root@server2]# ausearch --start oct21 --file /etc/crontab
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
woolmilkporcCommented:
Your command searches just in today's logs!

Add something like

--start this-month

to search the whole month's worth of log data.
0
 
ittechlabLinux SupportAuthor Commented:
This month i don't see any matches. lets say if i want to try oct 2012. How do i add this
0
 
woolmilkporcCommented:
I saw your second comment too late.

The format of --start depends on your locale.

For  en_US.utf8  it should look like this:

--start 10/21/2012
0
 
ittechlabLinux SupportAuthor Commented:
i got <no matches>
must be some thing missing.

i tried to crate a test file and chmod a file then did ausearch is not working, why
0
 
ittechlabLinux SupportAuthor Commented:
[root@server2 tmp]# touch file1
[root@server2 tmp]# ls -l file1
-rw-r----- 1 root root 0 Jan 15 14:39 file1
[root@server2 tmp]# chmod 755 file1
[root@server2 tmp]# ls -l file1
-rwxr-xr-x 1 root root 0 Jan 15 14:39 file1
[root@server2 tmp]# ausearch --file /tmp/file1
<no matches>
0
 
woolmilkporcCommented:
Try without the path, just the filename.

As for your test file - audit records are flushed to disk according to the flush and freq settings in auditd.conf.

Only with "flush sync" your logfile will be always up to date.
0
 
ittechlabLinux SupportAuthor Commented:
[root@server2 tmp]# ausearch --start this-month --file file1
<no matches>
[root@server2 tmp]# ausearch --file file1
<no matches>
0
 
ittechlabLinux SupportAuthor Commented:
Only with "flush sync" your logfile will be always up to date

is it command flush sync?
0
 
woolmilkporcCommented:
No, it's a setting in auditd.conf, as I wrote above.
0
 
ittechlabLinux SupportAuthor Commented:
how do I force the update so it will be in sync.
0
 
woolmilkporcCommented:
Please look at /etc/audit.rules

Is /tmp under audit? If it isn't, you will never see your action in ausearch.

What's under audit anyway?
0
 
ittechlabLinux SupportAuthor Commented:
[root@server2 adm]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b32 -S execve -F uid=0
-a exit,always -F arch=b32 -S execve -F euid=0
-a exit,always -F arch=b64 -S execve -F uid=0
-a exit,always -F arch=b64 -S execve -F euid=0

does it mean /etc is not audited here? as well as /tmp?
0
 
woolmilkporcCommented:
This means that you're auditing the 32bit and 64bit "execve" syscalls, but only for the userid "0" which is root.

"execve" is basically "program execution", so your above rules constitute auditing of any program executed by root, but no specific file/filesystem watch.

So it's normal that "--file xxx" doesn't yield any result.

You could try "--word crontab" or "--word /etc/crontab" to perform a string search.

If you can guess the command used you can also try "--comm command" or "--executable programname"
0
 
ittechlabLinux SupportAuthor Commented:
if i have file under /tmp will it work according to this rules?

[root@server2 tmp]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b32 -S execve -F uid=0
-a exit,always -F arch=b32 -S execve -F euid=0
-a exit,always -F arch=b64 -S execve -F uid=0
-a exit,always -F arch=b64 -S execve -F euid=0
0
 
woolmilkporcCommented:
Only for root and not with "--file". Maybe with "--word".
See my last comment.
0
 
ittechlabLinux SupportAuthor Commented:
i am getting unsupported option.

[root@server2 tmp]# ausearch --word /tmp/file1
/tmp/file1 is an unsupported option
0
 
ittechlabLinux SupportAuthor Commented:
[root@server2 tmp]# ausearch --word file1
file1 is an unsupported option
0
 
woolmilkporcCommented:
Sorry,

"--word" is indeed the wrong option.

I think you should run

aureport -f

This will show all events of today related to files.

Is there anything useful at all?

See "man aureport" to learn what other types of filters you can set.
0
 
woolmilkporcCommented:
... and if there is information about files in "aureport -f" try the pedestrian way:

aureport -f --start 10/21/2012  | grep crontab

or even

aureport --start 10/21/2012  | grep crontab
0
 
ittechlabLinux SupportAuthor Commented:
please see below.  I am not getting any output.

[root@server1 tmp]# aureport -f  | grep file1
[root@server1 tmp]# ls -l file1
-rwxrwxrwx 1 root root 15 Jan 15 15:00 file1
0
 
woolmilkporcCommented:
Do you see anything at all with just "aureport"?

Are you sure that auditd is running?
0
 
ittechlabLinux SupportAuthor Commented:
Let me check it
0
 
ittechlabLinux SupportAuthor Commented:
I am replicating on another machine. same issue.

[root@desktop5 tmp]# aureport -f  | grep file1
[root@desktop5 tmp]#


auditd is running

[root@desktop5 tmp]# ps -ef | grep auditd
root       406     2  0 Jan06 ?        00:00:00 [kauditd]
root      2201     1  0 Jan06 ?        00:00:00 auditd
root      4253  3465  0 18:53 pts/4    00:00:00 grep auditd

please let me know if this rule is ok on this machine.

[root@desktop5 tmp]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page


Let me know what else i need to check. Since i was out of office i am trying on another machine to replicate this issue.
0
 
woolmilkporcCommented:
Please run

aureport

and

aureport -f

We definitely must make sure that there's something (whatever) in your logs before we can continue.
0
 
ittechlabLinux SupportAuthor Commented:
[root@ulvnccd01 ~]#
[root@server1~]# aureport

Summary Report
======================
Range of time in logs: 01/15/2013 18:17:01.404 - 01/16/2013 08:08:56.758
Selected time for report: 01/15/2013 18:17:01 - 01/16/2013 08:08:56.758
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 4
Number of failed logins: 0
Number of authentications: 7
Number of failed authentications: 0
Number of users: 4
Number of terminals: 7
Number of host names: 6
Number of executables: 73
Number of files: 169
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 3113
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 8
Number of keys: 0
Number of process IDs: 18706
Number of events: 31167
0
 
ittechlabLinux SupportAuthor Commented:
when i run aureport -f i do see the binary only. I don't see the file names such as crontab or my test file file1.
0
 
ittechlabLinux SupportAuthor Commented:
Here is what i am looking for, lets say some one changed a permission on file or directory and you want to find out who did and when did it happen.

can we create a test case for this.
0
 
woolmilkporcCommented:
What do you mean with "binary" ?  The "touch" command?

You can check for all messages related to a particular event.

With "aureport -f" you should have seen a prefix for every message consisting of a Unix timestamp, a colon (:) and an event-id (example 1234), like

1358342152.987:1234

Feed the event-id (example: 1234) to aureport to see all releated messages:

aureport -a 1234

If you don't find anything useful there isn't sufficient granularity in yout audit setup.
0
 
woolmilkporcCommented:
As for the test case:

In order to get a detailed audit of file accesses you could set up a
file or directory watch.

Let's say you want to audit all file/directory writes and attribute changes by all users under the /etc directory tree.

So add this to /etc/audit/audit.rules:

-a exit,always -F dir=/etc -F perm=wa

To make it also work immediately issue on the command line as root

auditctl -a exit,always  -F dir=/etc -F perm=wa

Check that the /etc/audit/auditd.conf file contains

flush sync

If it doesn't then change accordingly and restart auditd.

Now change the permission of a file in /etc, then change it back, so that at the end the file remains as it was. Example:

chmod o+w /etc/hosts
chmod o-w /etc/hosts

Run aureport to check the result.
0
 
ittechlabLinux SupportAuthor Commented:
its all commands i see.

I am trying to search by file name.  How do i know which file was changed by chown?

[root@server2~]# aureport -f | grep chmod
449. 01/15/2013 23:00:01 /bin/chmod 59 yes /bin/chmod 0 2138489
451. 01/15/2013 23:00:01 /bin/chmod 59 yes /bin/chmod 0 2138495
7927. 01/16/2013 04:02:03 /bin/chmod 59 yes /bin/chmod 0 2147885
7971. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147910
7993. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147932
7997. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147936
8001. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147940
8005. 01/16/2013 04:02:04 /bin/chmod 59 yes /bin/chmod 0 2147944
8030. 01/16/2013 04:02:16 /bin/chmod 59 yes /bin/chmod 0 2147970
0
 
woolmilkporcCommented:
ausearch -a 2147970

(for example)

If you don't get the desired info please see my previous comment.
0
 
ittechlabLinux SupportAuthor Commented:
[root@server2~]# aureport -a 2147970
2147970 is an unsupported option
usage: aureport [options]
        -a,--avc                        Avc report
        -au,--auth                      Authentication report
        -c,--config                     Config change report
        -cr,--crypto                    Crypto report
        -e,--event                      Event report
        -f,--file                       File name report
        --failed                        only failed events in report
        -h,--host                       Remote Host name report
        --help                          help
        -i,--interpret                  Interpretive mode
        -if,--input <Input File name>   use this file as input
        --input-logs                    Use the logs even if stdin is a pipe
        -l,--login                      Login report
        -k,--key                        Key report
        -m,--mods                       Modification to accounts report
        -ma,--mac                       Mandatory Access Control (MAC) report
        --node <node name>              Only events from a specific node
        -n,--anomaly                    aNomaly report
        -p,--pid                        Pid report
        -r,--response                   Response to anomaly report
        -s,--syscall                    Syscall report
        --success                       only success events in report
        --summary                       sorted totals for main object in report
        -t,--log                        Log time range report
        -te,--end [end date] [end time] ending date & time for reports
        -tm,--terminal                  TerMinal name report
        -ts,--start [start date] [start time]   starting data & time for reports
        --tty                           Report about tty keystrokes
        -u,--user                       User name report
        -v,--version                    Version
        -x,--executable                 eXecutable name report
        If no report is given, the summary report will be displayed
0
 
woolmilkporcCommented:
Sorry, I was in a hurry and confused aureport and ausearch.

ausearch -a 2147970
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 20
  • 16
Tackle projects and never again get stuck behind a technical roadblock.
Join Now