fraggle/WebsiteTemplate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
WebsiteTemplate/cheatsheets/auditd.html
Fraggle 6f42a58ee5
first commit
2026-01-25 11:33:37 -04:00

400 lines
12 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<link rel="stylesheet" href="../assets/css/style.css">
<link rel="icon" type="image/x-icon" href="../favicon.ico">
<script>
// Apply theme immediately to prevent flash
(function() {
const theme = localStorage.getItem('theme') ||
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
document.documentElement.setAttribute('data-theme', theme);
})();
</script>
<title>auditd Cheatsheet - Cheatsheets - Launch Pad</title>
</head>
<body>
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
</button>
<br/><br/>
<div class="name">
__ _______________________ _________._________________________
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
\/ \/ \/ \/ \/ \/ \/
</div>
<div class="blog-page-header">
<div class="blog-header-content">
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
</a>
<h1 class="blog-page-title">auditd Cheatsheet</h1>
</div>
</div>
<div class="blog-post-container">
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
<div class="blog-post">
<div class="blog-post-content">
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
<hr>
<p>auditd (Linux Audit Daemon) is the user-space component of the Linux Auditing System. It collects and stores audit records from the kernel, monitoring system calls and file access for security compliance and forensics.</p>
<hr>
<h2>Service Management</h2>
<ul>
<li>systemctl start auditd - Start audit daemon</li>
</ul>
<ul>
<li>systemctl stop auditd - Stop audit daemon</li>
</ul>
<ul>
<li>systemctl restart auditd - Restart audit daemon</li>
</ul>
<ul>
<li>systemctl status auditd - Check audit daemon status</li>
</ul>
<ul>
<li>systemctl enable auditd - Enable audit daemon at boot</li>
</ul>
<ul>
<li>auditctl -e 1 - Enable auditing</li>
</ul>
<ul>
<li>auditctl -e 0 - Disable auditing</li>
</ul>
<ul>
<li>auditctl -s - Show audit system status</li>
</ul>
<hr>
<h2>Viewing Audit Logs</h2>
<ul>
<li>ausearch -k <key> - Search by key</li>
</ul>
<ul>
<li>ausearch -m <msg_type> - Search by message type</li>
</ul>
<ul>
<li>ausearch -ua <uid> - Search by user ID</li>
</ul>
<ul>
<li>ausearch -ui <uid> - Search by effective user ID</li>
</ul>
<ul>
<li>ausearch -x <executable> - Search by executable name</li>
</ul>
<ul>
<li>ausearch -sc <syscall> - Search by syscall</li>
</ul>
<ul>
<li>ausearch -ts today - Search today's events</li>
</ul>
<ul>
<li>ausearch -ts recent - Search recent events</li>
</ul>
<ul>
<li>ausearch --start today --end now - Search time range</li>
</ul>
<ul>
<li>aureport - Summary report of audit events</li>
</ul>
<ul>
<li>aureport -au - Authentication report</li>
</ul>
<ul>
<li>aureport -m - Account modifications report</li>
</ul>
<ul>
<li>aureport -f - Failed file operations</li>
</ul>
<ul>
<li>aureport --summary - Summary of all events</li>
</ul>
<ul>
<li>ausearch -i - Interpret numeric entities (usernames, etc.)</li>
</ul>
<ul>
<li>tail -f /var/log/audit/audit.log - Monitor audit log in real-time</li>
</ul>
<hr>
<h2>Configuring Rules</h2>
<ul>
<li>/etc/audit/rules.d/audit.rules - Permanent rule configuration file</li>
</ul>
<ul>
<li>/etc/audit/auditd.conf - Audit daemon configuration</li>
</ul>
<ul>
<li>auditctl -l - List current rules</li>
</ul>
<ul>
<li>auditctl -D - Delete all rules</li>
</ul>
<ul>
<li>service auditd restart - Reload rules from configuration files</li>
</ul>
<hr>
<h2>File System Watch Rules</h2>
<h3>Watching Files</h3>
<ul>
<li>auditctl -w /etc/passwd -p rwxa -k passwd_changes - Watch file (read, write, execute, attribute)</li>
</ul>
<ul>
<li>auditctl -w /etc/shadow -p wa -k shadow_changes - Watch file (write, attribute)</li>
</ul>
<ul>
<li>auditctl -w /etc/sudoers -p wa -k sudoers_changes - Watch sudoers file</li>
</ul>
<h3>Watching Directories</h3>
<ul>
<li>auditctl -w /etc/ -p wa -k etc_changes - Watch directory</li>
</ul>
<ul>
<li>auditctl -w /usr/bin/ -p x -k usr_bin_exec - Watch executable execution</li>
</ul>
<ul>
<li>auditctl -w /var/log/ -p rwa -k log_access - Watch log directory</li>
</ul>
<h3>Watch Permissions</h3>
<ul>
<li>-p r - Read operations</li>
</ul>
<ul>
<li>-p w - Write operations</li>
</ul>
<ul>
<li>-p x - Execute operations</li>
</ul>
<ul>
<li>-p a - Attribute changes (permissions, ownership)</li>
</ul>
<hr>
<h2>System Call Rules</h2>
<h3>Basic Syntax</h3>
<ul>
<li>auditctl -a always,exit -S <syscall> -F <field>=<value> -k <key> - Rule format</li>
</ul>
<h3>Common System Calls</h3>
<ul>
<li>auditctl -a always,exit -S chmod -F auid>=1000 -k file_permission_change</li>
</ul>
<ul>
<li>auditctl -a always,exit -S chown -F auid>=1000 -k file_ownership_change</li>
</ul>
<ul>
<li>auditctl -a always,exit -S unlink -F auid>=1000 -k file_deletion</li>
</ul>
<ul>
<li>auditctl -a always,exit -S mount -k mount_operations</li>
</ul>
<ul>
<li>auditctl -a always,exit -S setuid -k privilege_escalation</li>
</ul>
<ul>
<li>auditctl -a always,exit -S setgid -k privilege_escalation</li>
</ul>
<h3>Rule Actions</h3>
<ul>
<li>always - Always generate audit record</li>
</ul>
<ul>
<li>never - Never generate audit record</li>
</ul>
<h3>Rule Lists</h3>
<ul>
<li>task - Per-task list (applied on fork/clone)</li>
</ul>
<ul>
<li>exit - Syscall exit list</li>
</ul>
<ul>
<li>user - Per-user list</li>
</ul>
<ul>
<li>exclude - Exclusion list</li>
</ul>
<hr>
<h2>Filter Fields</h2>
<ul>
<li>-F auid=<uid> - Audit user ID</li>
</ul>
<ul>
<li>-F uid=<uid> - User ID</li>
</ul>
<ul>
<li>-F gid=<gid> - Group ID</li>
</ul>
<ul>
<li>-F euid=<uid> - Effective user ID</li>
</ul>
<ul>
<li>-F pid=<pid> - Process ID</li>
</ul>
<ul>
<li>-F ppid=<pid> - Parent process ID</li>
</ul>
<ul>
<li>-F arch=b64 - 64-bit architecture</li>
</ul>
<ul>
<li>-F arch=b32 - 32-bit architecture</li>
</ul>
<ul>
<li>-F exit=<value> - Exit value</li>
</ul>
<ul>
<li>-F success!=0 - Failed operations only</li>
</ul>
<ul>
<li>-F path=<file> - File path</li>
</ul>
<ul>
<li>-F perm=<permissions> - File permissions (rwa)</li>
</ul>
<hr>
<h2>Useful Rule Examples</h2>
<h3>Watch Critical System Files</h3>
<pre><code># /etc/passwd
auditctl -w /etc/passwd -p wa -k passwd_changes
# /etc/shadow
auditctl -w /etc/shadow -p wa -k shadow_changes
# /etc/sudoers
auditctl -w /etc/sudoers -p wa -k sudoers_changes
# /etc/hosts
auditctl -w /etc/hosts -p wa -k hosts_changes</code></pre>
<h3>Monitor Privilege Escalation</h3>
<pre><code># Monitor setuid/setgid
auditctl -a always,exit -S setuid -S setgid -F auid>=1000 -k privilege_change
# Monitor sudo usage
auditctl -w /usr/bin/sudo -p x -k sudo_execution
auditctl -w /usr/bin/su -p x -k su_execution</code></pre>
<h3>Monitor Network Configuration</h3>
<pre><code># Network config files
auditctl -w /etc/network/ -p wa -k network_changes
# Firewall rules
auditctl -w /etc/iptables/ -p wa -k firewall_changes</code></pre>
<h3>Monitor User Management</h3>
<pre><code># User/group changes
auditctl -a always,exit -S useradd -S usermod -S userdel -k user_management
auditctl -a always,exit -S groupadd -S groupmod -S groupdel -k group_management</code></pre>
<hr>
<h2>Search Examples</h2>
<h3>Search by Key</h3>
<pre><code>ausearch -k passwd_changes -i</code></pre>
<h3>Search Failed Logins</h3>
<pre><code>ausearch -m LOGIN -sv no -i</code></pre>
<h3>Search File Access</h3>
<pre><code>ausearch -f /etc/shadow -i</code></pre>
<h3>Search by User</h3>
<pre><code>ausearch -ua 1000 -i</code></pre>
<h3>Search Today's Events</h3>
<pre><code>ausearch -ts today -i</code></pre>
<hr>
<h2>Configuration Files</h2>
<h3>/etc/audit/auditd.conf</h3>
<pre><code># Log file location
log_file = /var/log/audit/audit.log
# Log format (RAW or NOLOG)
log_format = RAW
# Maximum log file size (MB)
max_log_file = 8
# Action when disk is full
space_left_action = email
action_mail_acct = root
admin_space_left_action = suspend
disk_full_action = suspend
# Number of log files to keep
num_logs = 5</code></pre>
<h3>/etc/audit/rules.d/audit.rules</h3>
<pre><code># Delete all existing rules
-D
# Buffer settings
-b 8192
# Failure mode (0=silent, 1=printk, 2=panic)
-f 1
# Make rules immutable (cannot be changed until reboot)
-e 2
# Watch critical files
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes</code></pre>
<hr>
<h2>Tips</h2>
<ul>
<li>Use meaningful keys (-k) for easier searching later</li>
</ul>
<ul>
<li>Test rules with auditctl before adding to permanent config</li>
</ul>
<ul>
<li>Monitor audit log size - rotate or truncate when needed</li>
</ul>
<ul>
<li>Use -i flag with ausearch for human-readable output</li>
</ul>
<ul>
<li>Filter by failed operations (-sv no) to find security issues</li>
</ul>
<ul>
<li>Regularly review audit logs with aureport</li>
</ul>
<ul>
<li>Set appropriate disk space limits to prevent log overflow</li>
</ul>
<ul>
<li>Use immutable rules (-e 2) in production for security</li>
</ul>
<ul>
<li>Watch executable directories to detect unauthorized binaries</li>
</ul>
<ul>
<li>Monitor sudo/su usage to track privilege escalation</li>
</ul>
<ul>
<li>Combine file watches with syscall rules for comprehensive monitoring</li>
</ul>
<ul>
<li>Use keys to categorize events for easier analysis</li>
</ul>
<ul>
<li>Check audit.log regularly to ensure auditing is working</li>
</ul>
<ul>
<li>Use ausearch with time ranges for forensic investigations</li>
</ul>
<ul>
<li>Archive old audit logs for compliance requirements</li>
</ul>
<hr>
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
</div>
</div>
</div>
</div>
<script async type="text/javascript" src="../blog/analytics.js"></script>
<script src="../theme.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink