Accounting

From Data and Logging, up to Kernel Integrity

Systems exist for one primary goal, which is processing data. Information security helps protecting this valuable data, by ensuring its availability, integrity, and confidentiality. In other words, data should be available when we need it. Then it should be properly transmitted and stored, without errors. Our last goal ensures that it is only available to those with a need to know. Many open source software components are available to help with these goals. We will review a few of them and see how they fit in your security defenses.

Capturing execve system calls and store them in the audit log

For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file.

Configure audit

To enable auditing, use the following commands:

# auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands  
# auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user. Whenever you are logged in as root, or using sudo, it will log the related actions.

The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules.

Performance tips

Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after. This way you can see the benefits of your tuning efforts.

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules.

Main Configuration

By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.g. mainframe) on resources, then you might want to adjust some file sizes or buffers.

Logging commands on Linux with Snoopy

Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.

How it works

Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.