• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / An Introduction to the Linux Audit System

An Introduction to the Linux Audit System

June 3, 2018 by The Urban Penguin

Linux Audit SystemTo make our start we shall take a look at the Linux Audit System on CentOS 7. This main component of Linux auditing is the auditd and this should be running. The service and the tools we use will be delivered in the form of two packages: audit and audit-libs. These should be installed but we can double check:

$ yum list audit audit-libs
...
Installed Packages
audit.x86_64                               2.7.6-3.el7                 installed
audit-libs.x86_64                          2.7.6-3.el7                 installed
...

We should see output similar to the above extract and that the two packages are installed.

The auditd service should be running so we can write through to the audit.log. We can check the status with the standard systemctl command:

$ sudo systemctl status auditd

We should see the service is active from the output. Again though, we have a dedicated tool for this:

$ sudo auditctl -s
enabled 1
failure 1
pid 435
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked

One of the main things we look for in this output is that it is enabled for autostart. The PID indicates the service is running, mine is 435. This should be a low number, as this is, a much higher number would suggest that it had been restarted after the system boot.

We can search the /var/log/audit/audit.log file using standard tools such as grep but we will find that the dedicated ausearch tool is more useful and powerful.

To list user logins we can run the command

$ sudo ausearch -m USER_LOGIN --start today

The message type that we look for is USER_LOGIN, these  types are always in uppercase. We can limit the search using the –start and –end options. The keyword we use here is today.

We can audit many other items too. Perhaps we want to find out who created a new user account. First we create the user:

$ sudo useradd -m bob

Next, we search the audit to see who created the account. Assuming it is just after 3 in the afternoon we can use a command similar to this:

$ sudo ausearch -m ADD_USER --start 15:00

The output will show the auid being the user account that initiated the user creation. As we used sudo this will be our own account that was used to crreate the new user.

The obvious question now is what are the available message types? Well, we can list them using the following command:

$ ausearch -m help 2>&1 | awk -v RS=' ' '/^[A-Z]{2}/{ print}' | sort
ACCT_LOCK
ACCT_UNLOCK
ADD_GROUP
ADD_USER
ALL
...

The message type of help does not exists so this creates an error and prints all available types. As it is an error we redirect STDERR to STDOUT so we can pipe the command to awk. We set the variable for the Record Seperator to be a space, incoming records and normally delimited by a newline. As all types start with at least two uppercase characters we can remove extraneous lines  by ensuring we only print lines that start those characters.

This concludes are initial look at the Linux Audit System. Now we have the basics we can look more at how we can use this to manage events on our Linux Servers.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok