RH415 - ch06s04

Bookmark this page

Guided Exercise: Inspecting Audit Logs

Search for events in your system, create reports for those events, and trace the execution of a command.

Outcomes

Search for events and generate reports from the Audit log and interpret the results.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start audit-inspecting

Instructions

Generate a report of all login events on the servera machine.
1. Log in to servera as the student user. No password is required.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```
2. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#
```
3. Generate a report of all login events by using the aureport command. Use the time stamps to determine the most recent login event from workstation.lab.example.com and take note of the event ID. In the following example, the event ID is 233, but your output might be different.
```
[root@servera ~]# aureport --login

Login Report
============================================
# date time auid host term exe success event
===========================================
...output omitted...
615. 10/11/23 14:08:48 1000 172.25.250.9 /dev/pts/0 /usr/sbin/sshd yes 233
```

Retrieve more information about the previous event by using the ausearch command. Use the -i option to render the results in a more human-readable format.

[root@servera ~]# ausearch -i -a 233
...output omitted...
----
type=USER_LOGIN msg=audit(10/11/23 14:08:48.308:233) : pid=1202 uid=root auid=student ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=student exe=/usr/sbin/sshd hostname=? addr=172.25.250.9 terminal=/dev/pts/0 res=success'
----
...output omitted...

Use the aureport --summary command to generate an executable summary report of command executions. Remember that by default, Audit does not log all commands, but instead only the commands that trigger Audit events, such as the su and sudo commands. The report might look different on your system.

[root@servera ~]# aureport --executable --summary

Executable Summary Report
=================================
total  file
=================================
498  /usr/sbin/crond
311  /usr/lib/systemd/systemd
243  /usr/sbin/sshd
112  /usr/sbin/xtables-multi
20  /usr/bin/kmod
20  /usr/bin/sudo
18  /usr/sbin/ebtables-restore
14  /usr/sbin/groupadd
8  /usr/sbin/useradd
6  /usr/lib/systemd/systemd-update-utmp
2  /usr/bin/passwd

Search for all Audit events of the LOGIN type, and export them in CSV format. Store the results in a results.csv file for future use.

[root@servera ~]# ausearch -m LOGIN --format csv > results.csv
[root@servera ~]# cat results.csv
NODE,EVENT,...,EVENT_KIND,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,...
,LOGIN,...,user-login,...,root,privileged-acct,changed-login-id-to,success,...
,LOGIN,...,user-login,...,root,privileged-acct,changed-login-id-to,success,...
,LOGIN,...,user-login,...,root,privileged-acct,changed-login-id-to,success,...
...output omitted...

Use the Audit system to trace and review the execution of the /bin/ls /tmp command. Create a file report for all files opened by the command.

Use the autrace /bin/ls /tmp command to trace the execution of the /bin/ls /tmp command.

[root@servera ~]# autrace /bin/ls /tmp
Waiting to execute: /bin/ls
NIC1	     rht-bastion
NIC1.old     systemd-private-3c9eca035b4d449bb44a6ed0576f1305-chronyd.service-7LwrrU
NIC2	     systemd-private-3c9eca035b4d449bb44a6ed0576f1305-dbus-broker.service-PRd9UH
NIC2.old     systemd-private-3c9eca035b4d449bb44a6ed0576f1305-systemd-logind.service-e1Ft7N
rclocal.log
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1440'

Use the ausearch -i -p 1440 command to review the records. Use the value that is provided in the output of the previous command.

[root@servera ~]# ausearch -i -p 1440
...output omitted...
----
type=PROCTITLE msg=audit(10/11/23 14:14:52.183:418) : proctitle=autrace /bin/ls /tmp
type=SYSCALL msg=audit(10/11/23 14:14:52.183:418) : arch=x86_64 syscall=write success=yes exit=12 a0=0x1 a1=0x56532666b380 a2=0xc a3=0xb items=0 ppid=1438 pid=1440 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PROCTITLE msg=audit(10/11/23 14:14:52.183:419) : proctitle=autrace /bin/ls /tmp
type=SYSCALL msg=audit(10/11/23 14:14:52.183:419) : arch=x86_64 syscall=close success=yes exit=0 a0=0x1 a1=0x56532666b380 a2=0x7f366a7f69e0 a3=0xb items=0 ppid=1438 pid=1440 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PROCTITLE msg=audit(10/11/23 14:14:52.183:420) : proctitle=autrace /bin/ls /tmp
type=SYSCALL msg=audit(10/11/23 14:14:52.183:420) : arch=x86_64 syscall=close success=yes exit=0 a0=0x2 a1=0xfbad2006 a2=0x7f366a7f69e0 a3=0xb items=0 ppid=1438 pid=1440 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PROCTITLE msg=audit(10/11/23 14:14:52.183:421) : proctitle=autrace /bin/ls /tmp
type=SYSCALL msg=audit(10/11/23 14:14:52.183:421) : arch=x86_64 syscall=exit_group a0=EXIT_SUCCESS a1=0xfffffffffffffe98 a2=0xe7 a3=0x7ffcdd36a200 items=0 ppid=1438 pid=1440 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Use the ausearch -p 1440 --raw command to review the records in raw format. Use the same value from the previous command.

[root@servera ~]# ausearch -p 1440 --raw
...output omitted...
type=SYSCALL msg=audit(1697048092.183:418): arch=c000003e syscall=1 success=yes exit=12 a0=1 a1=56532666b380 a2=c a3=b items=0 ppid=1438 pid=1440 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=write AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1697048092.183:418): proctitle=61757472616365002F62696E2F6C73002F746D70
type=SYSCALL msg=audit(1697048092.183:419): arch=c000003e syscall=3 success=yes exit=0 a0=1 a1=56532666b380 a2=7f366a7f69e0 a3=b items=0 ppid=1438 pid=1440 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=close AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1697048092.183:419): proctitle=61757472616365002F62696E2F6C73002F746D70
type=SYSCALL msg=audit(1697048092.183:420): arch=c000003e syscall=3 success=yes exit=0 a0=2 a1=fbad2006 a2=7f366a7f69e0 a3=b items=0 ppid=1438 pid=1440 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=close AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1697048092.183:420): proctitle=61757472616365002F62696E2F6C73002F746D70
type=SYSCALL msg=audit(1697048092.183:421): arch=c000003e syscall=231 a0=0 a1=fffffffffffffe98 a2=e7 a3=7ffcdd36a200 items=0 ppid=1438 pid=1440 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=exit_group AUID="student" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1697048092.183:421): proctitle=61757472616365002F62696E2F6C73002F746D70

Use the ausearch -p 1440 --raw | aureport -i --file command to create a report file. Use the same value from the previous command.

[root@servera ~]# ausearch -p 1440 --raw | aureport -i --file

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 10/11/23 14:14:51  newfstatat yes /usr/sbin/autrace student 251
2. 10/11/23 14:14:52 /bin/ls execve yes /usr/bin/ls student 255
3. 10/11/23 14:14:52 /etc/ld.so.preload access no /usr/bin/ls student 259
4. 10/11/23 14:14:52 /etc/ld.so.cache openat yes /usr/bin/ls student 260
5. 10/11/23 14:14:52  newfstatat yes /usr/bin/ls student 261
...output omitted...

Repeat the previous trace, but now with the /bin/ls -l /tmp command. Note that the -l option triggers a call to the statx system call, which provides additional detailed information, such as permissions or size.

Use the autrace /bin/ls -l /tmp command to perform the trace.

[root@servera ~]# autrace /bin/ls -l /tmp
Waiting to execute: /bin/ls
total 24
-rw-r--r--. 1 root root   5 Oct 11 06:16 NIC1
-rw-r--r--. 1 root root   5 Sep 29 03:25 NIC1.old
-rw-r--r--. 1 root root   5 Oct 11 06:16 NIC2
-rw-r--r--. 1 root root   5 Sep 29 03:25 NIC2.old
-rw-r--r--. 1 root root  73 Oct 11 06:22 rclocal.log
-rw-r--r--. 1 root root 181 Oct 11 06:22 rht-bastion
drwx------. 3 root root  17 Oct 11 10:17 systemd-private-3c9eca035b4d449bb44a6ed0576f1305-chronyd.service-7LwrrU
drwx------. 3 root root  17 Oct 11 10:17 systemd-private-3c9eca035b4d449bb44a6ed0576f1305-dbus-broker.service-PRd9UH
drwx------. 3 root root  17 Oct 11 10:17 systemd-private-3c9eca035b4d449bb44a6ed0576f1305-systemd-logind.service-e1Ft7N
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1452'

Use the ausearch -i -p 1452 command to view the records from the previous autrace command. The output includes the statx syscall.

[root@servera ~]# ausearch -i -p 1452
...output omitted...
type=SYSCALL msg=audit(11/07/23 14:47:13.885:406) : arch=x86_64 syscall=getxattr success=no exit=ENODATA(No data available) a0=0x7ffd5cb410c0 a1=0x5630e48c2b70 a2=0x0 a3=0x0 items=1 ppid=1275 pid=1277 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PROCTITLE msg=audit(11/07/23 14:47:13.885:407) : proctitle=autrace /bin/ls -l /tmp
type=PATH msg=audit(11/07/23 14:47:13.885:407) : item=0 name=/tmp/systemd-private-16442968a22c44ef99b299991d70388e-systemd-logind.service-NcCBdG inode=16797908 dev=fc:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/07/23 14:47:13.885:407) : cwd=/root
type=SYSCALL msg=audit(11/07/23 14:47:13.885:407) : arch=x86_64 syscall=statx success=yes exit=0 a0=0xffffff9c a1=0x7ffd5cb410c0 a2=0x900 a3=0x25e items=1 ppid=1275 pid=1277 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=PROCTITLE msg=audit(11/07/23 14:47:13.885:408) : proctitle=autrace /bin/ls -l /tmp
type=PATH msg=audit(11/07/23 14:47:13.885:408) : item=0 name=/tmp/systemd-private-16442968a22c44ef99b299991d70388e-systemd-logind.service-NcCBdG inode=16797908 dev=fc:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/07/23 14:47:13.885:408) : cwd=/root
type=SYSCALL msg=audit(11/07/23 14:47:13.885:408) : arch=x86_64 syscall=lgetxattr success=yes exit=27 a0=0x7ffd5cb410c0 a1=0x7f34d288d23c a2=0x5630e54aa550 a3=0xff items=1 ppid=1275 pid=1277 auid=student uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
...output omitted...

When done, return to the workstation machine.

[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish audit-inspecting

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299