Use the Audit tool on Linux to implement operation auditing, including file monitoring, system call tracking, and log management. It supports various rule configurations and log query analysis. -

The Linux Audit framework is a powerful auditing system in the Linux kernel. The auditd service records security-related operations, such as file access, system calls, user commands, and network connectivity. You can configure auditd to meet compliance requirements, monitor suspicious activity, conduct forensic analysis, and troubleshoot issues.

Core features

File and folder monitoring: Monitor access, modification, execution, and attribute changes for specified files or folders.
System call monitoring: Track all or specific system calls to understand underlying program behavior.
User command logging: Record all commands that users execute in the terminal.
Network access monitoring: Audit network connectivity and packets.
Security event recording: Record key security events, such as failed authentication attempts and permission changes.
Audit report generation: Includes tools to search, analyze, and generate audit reports.

Prerequisites

You have an ECS instance that runs a Linux operating system. This topic uses CentOS 7/8 as an example.
You have logged on to the instance as a user with root or sudo permissions.

Procedure

Step 1: Install and start the Audit service

Run the following command to install the Audit package.
```
yum -y install audit audit-libs
```

Start the auditd service and enable it to start on boot.

# Start the auditd service
systemctl start auditd
# Enable the service to start on boot
systemctl enable auditd
# Check the service status to make sure it is active (running)
systemctl status auditd

Step 2: Modify the Audit configuration file

The core configuration of the Audit framework involves the service daemon configuration (auditd.conf) and the audit policy configuration (audit.rules). The default auditd configuration is suitable for most environments. However, if your environment must meet a strict security policy, you can modify the file as needed.

1. Service configuration file

This file controls the behavior of the auditd daemon, such as the location, size, and rotation policy of the log file.

You can use cat /etc/audit/auditd.conf to view its contents. The following table describes the key configuration items.

Instruction	Description
`log_file`	Specifies the path where the audit log file is stored. The default path is `/var/log/audit/audit.log`.
`log_format`	Specifies the storage format of the audit log. The default format is `RAW`.
`flush`	Specifies how logs are written to the disk. `incremental_async` balances performance and data timeliness.
`num_logs`	Specifies the number of rotated log files to keep. Rotation occurs when a log file reaches the size specified by `max_log_file`.
`max_log_file`	Specifies the maximum size of a single log file in MB.
`max_log_file_action`	Specifies the action to take after a log file reaches the limit set by `max_log_file`. `rotate` rotates the log. `keep_logs` continues writing to the log, which is not recommended. `syslog` writes the log to system logs. `suspend` pauses auditing.

2. Rule configuration file (`/etc/audit/rules.d/`)

Auditd audit policies determine which events to monitor. You can write custom rules to a .rules file in the /etc/audit/rules.d/ folder. When the system starts or the Auditd service restarts, all .rules files in this folder are automatically merged into the main rule file /etc/audit/audit.rules.

The Audit package provides pre-configured compliance rule templates in the /usr/share/doc/audit/rules/ folder. You can use them as needed.

Rule template file	Description
`nispom.rules`	Rules that comply with the National Industrial Security Program Operating Manual (NISPOM) of the United States.
`pci-dss-v31.rules`	Rules that comply with the Payment Card Industry Data Security Standard (PCI-DSS) v3.1.
`stig.rules`	Rules that comply with the Security Technical Implementation Guides (STIG) from the Defense Information Systems Agency (DISA) of the United States.

Example: You can apply pre-configured rules, such as the NISPOM and network-related rules, to your system.

# Assume your audit version is 2.8.5. Adjust the path as needed.
cd /usr/share/doc/audit-2.8.5/rules/

# Copy the pre-configured rules to the rules folder
cp 30-nispom.rules /etc/audit/rules.d/
cp 71-networking.rules /etc/audit/rules.d/

# Restart the auditd service to load the new rules
systemctl restart auditd

Step 3: Manage audit policies (`auditctl`)

auditctl is a command line interface for managing audit policies in real-time. Rules added using auditctl are temporary and will be lost when the system restarts. To make a rule permanent, you must write it to a .rules file in the /etc/audit/rules.d/ folder.

The following table describes the common options for auditctl.

Option	Description
`-l`	Lists all current audit policies.
`-D`	Deletes all current audit policies and watches.
`-d list,action`	Deletes a rule from a specified list.
`-w path`	(Recommended) Adds a watch for a file or folder. This is a simplified form of a more advanced syntax.
`-W path`	Deletes the watch for a specified file or folder.
`-p [r,w,x,a]`	Specifies the permissions to watch: `r`=read, `w`=write, `x`=execute, `a`=attribute change.
`-k key`	Sets an easy-to-search keyword (key) for the rule. This option is highly recommended.
`-a list,action`	Adds a rule to the end of a rule list. For example, `-a always,exit` always generates an audit record when a system call exits.
`-S syscall`	Specifies the name or number of the system call to monitor.
`-F field=value`	Defines a rule field for an exact match condition. For example, `-F path=/etc/shadow` or `-F auid>=1000`.

You can run auditctl -h to view more command details.

Usage examples

View and delete rules
```
# View all rules
auditctl -l
```
Monitor changes to important files The following two commands have the same effect. They both monitor write and attribute changes to the /etc/shadow file and add the shadow-write tag to the rule.
```
# Method 1: Use the simplified -w syntax
auditctl -w /etc/shadow -p wa -k shadow-write

# Method 2: Use the standard -a syntax
auditctl -a always,exit -F path=/etc/shadow -F perm=wa -k shadow-write
```
Note: To make this rule permanent, write the line -w /etc/shadow -p wa -k shadow-write to a file, such as /etc/audit/rules.d/my-custom.rules, and then restart the auditd service.
Recursively monitor folder changes Monitor write and attribute changes for all files and subdirectories in the /etc/ folder.
```
auditctl -w /etc/ -p wa -k etc-changes
```

Step 4: Query and interpret audit logs

All audit records are saved in /var/log/audit/audit.log. You can use the ausearch and aureport tools for queries and analysis.

1. Use `ausearch` to query logs

ausearch is a powerful log query tool.

Option	Description
`-k, --key "key"`	Searches by the keyword set in the rule.
`-f, --file "filename"`	Searches for events related to a file name.
`-c, --comm "comm-name"`	Searches by command name, such as `vim` or `useradd`.
`-sc, --syscall "syscall"`	Searches by system call name.
`-ui, --uid "user-id"`	Searches by user UID.
`-x, --executable "path"`	Searches by the full path of an executable file.
`-sv, --success "yes/no"`	Filters results based on whether the system call was successful.
`-ts, --start [date] [time]`	Searches for logs after a specified start time.
`-te, --end [date] [time]`	Searches for logs before a specified end time.
`-i, --interpret`	Converts numeric IDs in logs, such as UID and GID, to human-readable names. Always use this option for better readability.

Query examples:

# Search for all events related to the "shadow-write" keyword and display them in a readable format
ausearch -i -k shadow-write

# Search for all access events for the /etc/resolv.conf file
ausearch -i -f /etc/resolv.conf

# Search for all events generated by the "vim" command
ausearch -i -c vim

# Search for all failed system call events
ausearch -i -sv no

2. Interpret audit log fields

An audit log typically consists of multiple records that share the same timestamp and serial number. When you use the ausearch -i command, the logs are displayed in the following format. The following table describes the key fields.

type=SYSCALL msg=audit(1678886400.123:456): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffc... items=1 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 ... comm="touch" exe="/usr/bin/touch" key="etc-changes"

Field	Description
`type`	The type of record, such as `SYSCALL` (system call), `USER_AUTH` (user authentication), or `PROCTITLE` (process title).
`msg`	`audit(timestamp:serial_number)`: The UNIX timestamp and serial number of the event.
`syscall`	The name or number of the system call that occurred. You can use `ausyscall --dump` to view all system calls.
`success`	Indicates whether the system call was successful (`yes` or `no`).
`exit`	The exit code of the system call. For a successful call, this is usually a file descriptor. For a failed call, this is a negative error code.
`pid`, `ppid`	The process ID (PID) and parent process ID (PPID) that triggered the event.
`auid`	Audit User ID (AUID). This ID is assigned when a user first logs on. It does not change even if the user switches accounts, for example, using `su`. This makes it easy to trace the original user.
`uid`, `gid`	The effective user ID and group ID that triggered the event.
`comm`	The command name that triggered the event.
`exe`	The full path of the executable file that triggered the event.
`cwd`	The current working directory when the process was executed.
`key`	The keyword you set in the audit policy. It helps you quickly filter and identify events.

Reference

For more information, see System Auditing.