Accounting

Learn how Linux and applications store actions performed by users and systems, such as authentication events.

Linux System Integrity: Ensure Data, Logging and Kernel Integrity

Linux system integrity can be achieved with security measures which focus on kernel integrity, file integrity and hardware integrity.

Summary

From Data and Logging, up to Kernel Integrity

Systems exist for one primary goal, which is processing data. Information security helps protecting this valuable data, by ensuring its availability, integrity, and confidentiality. In other words, data should be available when we need it. Then it should be properly transmitted and stored, without errors. Our last goal ensures that it is only available to those with a need to know. Many open source software components are available to help with these goals. We will review a few of them and see how they fit in your security defenses.

Logging root actions by capturing execve system calls

Logging all actions performed by root might be needed for compliance or security. With the help of Linux audit we log all root actions easy in an audit log.

Summary

Capturing execve system calls and store them in the audit log

For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file.

Configure audit

To enable auditing, use the following commands:

# auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands  
# auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user. Whenever you are logged in as root, or using sudo, it will log the related actions.

Tuning auditd: high-performance Linux Auditing

To achieve better performance with a auditd configuration, it needs to be tuned. See performance boosters like events exclusion, rule ordering, and more.

Summary

The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules.

Performance tips

Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after. This way you can see the benefits of your tuning efforts.

Linux Audit Framework 101 – Basic Rules for Configuration

The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.

Summary

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules.

Main Configuration

By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.g. mainframe) on resources, then you might want to adjust some file sizes or buffers.

Creating audit trails – Logging commands on Linux with Snoopy

Snoopy is a useful utility to log commands on Linux and create a related audit trail. Auditing trails are considered to be important for proper accounting.

Summary

Logging commands on Linux with Snoopy

Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.

How it works

Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.