A simple example of using auditd on Linux with LEM

Version 1

    I have seen a few requests for examples of using auditd on Linux in combination with LEM

    to create something similar (with some caveats) to the file integrity monitor that is available out of the box for Windows nodes.

    Auditd is a very complex tool with many options for logging file access and process execution but if you take some time and read through the

    docs, man page and a few online articles, you can usually construct a rule that suits your particular logging needs.

    After you have some rules in place in auditd you need to deploy the Linux agent to your node and enable the auditd connector.

    From there you can easily create filters, nDepth searches and rules that trigger on auditd activity. (See screenshots below)

     

    For my extremely simple example here I will create some rules in auditd to watch for file creates using

    the touch command and also file deletes using the rm command...

    There are obviously many other ways that someone could create or remove a file on a Linux node but I wanted

    to create something very basic to illustrate the concepts... If you have better ideas or illustrations

    please feel free to post those in the comments below.

     

    To get started I will add three very simple and straight forward rules to auditd on my Linux node.

    We do that using the command auditctl and pass in some arguments to accomplish our task.

    (Depending on your platform and configuration you may have to use sudo)

     

    sudo auditctl -w /bin/rm -p x -k rm

    sudo auditctl -w /bin/touch -p x -k touch

    sudo auditctl -w /lem-test -p rwxa -k lem-test-folder

     

    To break those command lines down a little:

    -w specifices the file or folder you want to watch

    -p specifies the activity you want to watch (read, write, execute, append)

    -k creates a tag which you can use in conjunction with another command ausearch to quickly verify your rule is actually catching anything.

    (you can verify your rules were accepted into the auditd config by issuing the command auditctl -l)

     

    Now I need to make sure the auditd connector is enabled for my Linux node in the LEM web UI:

    (Manage -> Nodes -> Then highlight the node in question and hit the gear icon to the left)

     

     

    Now I will simply create and then delete a file using touch and rm respectively in order to generate activity for auditd to forward to LEM:

     

     

    Now I can go to nDepth and search for my events:

    (These events are all passed along as FileExecute rather than FileDelete or FileCreate like FIM for Windows does)

     

     

    I can also create some rules to fire and email me when these events are detected:

    (I am using the fact that the commands show up in the FileName field to differentiate creates from deletes)

     

     

    As you can see this is a very simplified example and I am sure that much more useful info could

    be extracted from auditd using ever more complex rules but hopefully this will be a good example

    to get you started down this path... If you find or create other useful examples be sure to

    share them with the rest of us in the comments.

    Happy LEMing!