Working with the Audit Log

Hands-On Lab

 

Photo of Stosh Oldham

Stosh Oldham

Course Development Director in Content

Length

01:00:00

Difficulty

Intermediate

Understanding the popular Linux auditing system Auditd is important for being able to efficiently and effectively monitor IT systems. The Auditd package allows fine-tuned monitoring that is crucially important for security applications such as host intrusion detection. In this hands-on lab, we will create and use custom audit rules to monitor sensitive configuration files.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with the Audit Log

Introduction

Understanding the popular Linux auditing system Auditd is important for being able to efficiently and effectively monitor IT systems. The Auditd package allows fine-tuned monitoring that is crucially important for security applications such as host intrusion detection. In this hands-on lab, we will create and use custom audit rules to monitor sensitive configuration files.

Connecting to the Lab

  1. Open your terminal application, and run the following command (remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page):
    ssh cloud_user@<PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your cloud_user password at the prompt.

Create the Audit Rules

  1. Create an audit rule to watch /etc/passwd for reads.
    sudo auditctl -w /etc/passwd -p w -k userwatch
  2. Create an audit rule to watch /etc/sudoers/ for reads and writes.
    sudo auditctl -w /etc/sudoers -p rw -k sudowatch
  3. Create an audit rule to watch /sbin/visudo for executions.
    sudo auditctl -w /sbin/visudo -p x -k sudowatch
  4. Verify that the audit rules were successfully created.
    sudo auditctl -l

Generate an Audit Rule List in a Text File

  1. Output the contents of the audit rule list to a file called rules.txt.
    sudo auditctl -l > /home/cloud_user/rules.txt

Generate Logs

  1. Create a new user.
    sudo useradd bob
  2. Run the visudo command.
    sudo visudo
  3. Press Esc, and type :q to exit the vim text editor.

Generate the Text File Reports

  1. Generate the userwatch.txt report in /home/cloud_user.
    sudo ausearch -k userwatch > /home/cloud_user/userwatch.txt
  2. Verify that this was successful.
    less /home/cloud_user/userwatch.txt
  3. Type q to exit the less screen.
  4. Generate the sudowatch.txt report in /home/cloud_user.
    sudo ausearch -k sudowatch > /home/cloud_user/sudowatch.txt
  5. Verify that this was successful.
    less /home/cloud_user/sudowatch.txt

Conclusion

Congratulations, you've successfully completed this hands-on lab!