Linux Auditing Logs

What are Linux Audit logs?

Native Linux feature that collects logs of system activity. Can be leveraged for forensic investigations.

Linux Auditing System monitors 3 distinct things:

  • System calls: See which system calls were called, along with contextual information like arguments passed to it, user info, etc

  • File Access: Monitor file access activity, rather than directly monitoring the open system calls and related calls.

  • Select, pre-configured auditable events within the kernel. List of event types by Red Hat.

Configuration

  • /etc/audit/audit.rules

Logs

  • /var/log/audit/audit.log

What important info does auditd contain?

If configured well, logon information, user related events (add user, group, account locks, and unlocks), and file execution.

Auditd commands during live analysis:

aureport shows a summary report of auditd recorded activity.

aureport

Summary Report
===================
Range of time in logs: 1/1/1999 10:10:10 - 2/2/2000 20:20:20
Number of Failed Logons: 100
Number of Commands: 10

auditctl is used to review and set auditing rules.

#below command shows the monitoring of the lastlog-file
auditctl

/var/log/lastlog -p rwa -lastlog-file

ausearch can be used to filter audit logs for a specific rule

ausearch -k lastlog-file

Common RHEL 7 and 8 audit record types

ADD_GROUP

ADD_USER

USER_LOGIN

USER_LOGOUT

USER_AUTH

SYSTEM_SHUTDOWN

SOFTWARE_UPDATE

Understanding Audit Log Files:

The following command will output the below output in audit logs that are monitoring sshd_config.

> cat /etc/ssh/sshd_config
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
type=CWD msg=audit(1364481363.243:24287):  cwd="/home/shadowman"
type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0  objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1364481363.243:24287) : proctitle=636174002F6574632F7373682F737368645F636F6E666967

Directories

Details inside the directory

/var/log/syslog or /var/log/messages

Displays system-wide messages and information. Essentially, it’s a data log of every activities across the entire global system. Everything occurs on Redhat-based systems, such as CentOS or Rhel, will be recorded in messages. They go into Syslog on Ubuntu and other Debian systems.

/var/log/auth.log or /var/log/secure

Keep track of successful and unsuccessful logins, as well as authentication processes. The amount of storage available is determined by the system type. Look at /var/log/auth.log for Debian/Ubuntu. Go to /var/log/secure on Redhat/CentrOS.

/var/log/boot.log

Keep track of start-up messages and boot information.

/var/log/maillog or var/log/mail.log

It’s for mail server logs, which can be useful for postfix, smtpd, or other email-related services on your server.

/var/log/kern

Kernel logs and warning information are saved. Also important for resolving issues with custom kernels.

/var/log/dmesg

It serves as a central location for device driver communications. To view the messages in this file, use dmesg.

/var/log/faillog

It will keep track of failed login attempts. As a result, it’s useful for investigating suspected security breaches like credential hacks and brute-force attacks.

/var/log/cron

It will maintain a log of Crond-related messages (cron jobs). For example, it will keep the record of like When the cron daemon started a job.

/var/log/daemon.log

Keeps track of background services that are operating but does not display them graphically.

/var/log/btmp

keeps a note of all failed login attempts.

/var/log/utmp

Keeps track of current login state by the user

/var/log/wtmp

Keeps track of every login and logout.

/var/log/lastlog

Each login/logout is tracked in this log.

/var/log/yum.log

It contains information about any yum command-based package installations. So you can see if everything went smoothly.

/var/log/httpd/

It is a directory holding the Apache httpd daemon’s error log and access log files. The error log file records every error that httpd encounters. Consider memory issues and other system-related issues. All requests that come in via HTTP are logged by access_log.

/var/log/mysqld.log or /var/log/mysql.log

Every debug, failure, and success message, as well as the starting, stopping, and restarting of the MySQL daemon mysqld, is recorded in the MySQL log file. The directory is chosen by the system. /var/log/mariadb/mariadb.log is used by RedHat, CentOS, Fedora, and other RedHat-based systems. Debian/Ubuntu, on the other hand, uses the /var/log/mysql/error.log directory.

/var/log/pureftp.log

Using the pureftp process, it keeps track of FTP connections. Here you may find information about every connection, FTP login, and authentication failure.

/var/log/spooler

Except for a few USENET mails, it usually contains nothing.

/var/log/sudo.log

Contains administrative privilege use.

/var/log/xferlog

Keeps track of FTP file transfers. File names and user-initiated FTP transfer information are included.

PreviousLD_PRELOADNextexample page

Last updated