From ffad324cc2f33e959d90187ae5c81ab293209f7b Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 16 Dec 2021 05:49:29 +0530 Subject: [PATCH] audit readme --- services/audit-framework/README.md | 39 ++++++++++++++++++++++++++++++ services/audit-framework/audit.md | 13 ---------- 2 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 services/audit-framework/README.md delete mode 100644 services/audit-framework/audit.md diff --git a/services/audit-framework/README.md b/services/audit-framework/README.md new file mode 100644 index 0000000..6abe446 --- /dev/null +++ b/services/audit-framework/README.md @@ -0,0 +1,39 @@ +# Audit Framework + +## Kernel + +To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. + +## Userspace + +* Install the `audit` package, enable and start the `auditd.service`. +* The config file is `auditd.conf`. +* The rules are defined in `/etc/audit/audit.rules`. +* `auditctl` can be used to edit rules on the fly. +* `ausearch` and `aureport` are used to summarize and view data. + + +## Rules + +* Read from `/etc/audit/auditd.rules` + +* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed, + `augenrules` is used to merge all the component rules files. + * It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found. + * The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines. + +* rulesets: + * syscalls + * format: `-a action,list -S syscall -F field=value -k keyname` + * files + * format: `-w path-to-file -p permissions -k keyname` + * ..? + + + +## Further Reading + +* `man` pages (list here) +* archwiki article +* syscalls docs +* update the format for rules diff --git a/services/audit-framework/audit.md b/services/audit-framework/audit.md deleted file mode 100644 index f3a0f99..0000000 --- a/services/audit-framework/audit.md +++ /dev/null @@ -1,13 +0,0 @@ -# Audit Framework - -## Kernel - -To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. - -## Userspace - -* Install the `audit` package, enable and start the `auditd.service`. -* The config file is `auditd.conf`. -* The rules are defined in `/etc/audit/audit.rules`. -* `auditctl` can be used to edit rules on the fly. -* `ausearch` and `aureport` are used to summarize and view data.