40 lines
1.2 KiB
Markdown
40 lines
1.2 KiB
Markdown
# Audit Framework
|
|
|
|
## Kernel
|
|
|
|
To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
|
|
|
|
## Userspace
|
|
|
|
* Install the `audit` package, enable and start the `auditd.service`.
|
|
* The config file is `auditd.conf`.
|
|
* The rules are defined in `/etc/audit/audit.rules`.
|
|
* `auditctl` can be used to edit rules on the fly.
|
|
* `ausearch` and `aureport` are used to summarize and view data.
|
|
|
|
|
|
## Rules
|
|
|
|
* Read from `/etc/audit/auditd.rules`
|
|
|
|
* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed,
|
|
`augenrules` is used to merge all the component rules files.
|
|
* It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found.
|
|
* The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
|
|
|
|
* rulesets:
|
|
* syscalls
|
|
* format: `-a action,list -S syscall -F field=value -k keyname`
|
|
* files
|
|
* format: `-w path-to-file -p permissions -k keyname`
|
|
* ..?
|
|
|
|
|
|
|
|
## Further Reading
|
|
|
|
* `man` pages (list here)
|
|
* archwiki article
|
|
* syscalls docs
|
|
* update the format for rules
|