Audit a linux embedded system

Audit System is a Linux tool created by Red Hat that intercepts all system calls and forwards them to a user-configurable daemon called auditd. Since part of its functionality operates at the kernel level, it can provide information on any ongoing activity, as long as it is mediated by a system call. This feature allows it to monitor every operation within the system, be it a simple file access or the entire network traffic.

In addition to intercepting calls, it is possible to configure the auditd daemon to write a log every time a specific system call is invoked. This functionality makes it a powerful logging tool; in particular, due to the amount of information it can provide, it is the logging system upon which SELinux is based.

Usage

Audit for Security

Besides enabling the proper functioning of SELinux, auditd can be configured to keep track of certain operations. In its most common uses, it is utilised for two main functions: monitoring changes to system files or monitoring system calls that deal with altering vital system parameters, such as time or network information.

Monitoring changes to system files: If you want to keep a system secure, it is essential to monitor the creation of new users and the assignment of related privileges. An unexpected change in these two configurations could indicate some form of compromise.

On Linux, user-related information is saved in simple files, like /etc/shadow, and monitoring write access and permission changes provides crucial information on the system’s protection level. Other examples of important files to monitor include the configurations of main services and the scripts that manage network and interfaces. Most importantly, in systems where SELinux is active, its configuration contained in /etc/selinux/ should be monitored.

Monitoring system calls that modify vital parameters: Apart from configuration files, many system parameters can be modified during runtime. Therefore, it is advisable to monitor such changes by listening directly to the system calls that manage them. Among the most important are the changes to network information and system time.

---

How to install audit

Auditd has two main configuration files: /etc/auditd.conf and /etc/audit.rules. While the former contains more general configurations, the latter includes the rules regarding the actions to monitor.

Audit can be enabled at startup by setting audit=1 as a kernel parameter. This way, all processes executed before the audit daemon starts will be marked as auditable by the kernel. If this operation is not performed, some processes might not be correctly monitored.

Installing Audit in a desktop system

sudo apt-get install auditd audispd-plugins  # For Debian-based
sudo yum install audit audit-libs  # For Red Hat-based

Installing Audit in Yocto Project

To enable auditing features in Yocto Project add the package into the image:

IMAGE_INSTALL:append = " auditd"

Auditd

The Audit framework consists of the auditd daemon, which is responsible for writing the audit messages generated through the kernel audit interface and triggered by application and system activity.

This daemon can be controlled through various commands and files:

• auditctl: to control the daemon’s behaviour in real-time, add rules, etc.
• /etc/audit/audit.rules: contains the rules and various parameters of the auditd daemon.
• aureport: generates reports on system activity.
• ausearch: searches for various events in the logs.
• auditspd: the daemon can be used to forward event notifications to other applications instead of writing them to disk in the audit log.
• autrace: a command that can be used to trace a process, similar to strace.
• /etc/audit/auditd.conf: configuration file related to logging.

Managing the Audit Service

After installing the control package, the next step is to start the auditd service. Before proceeding, it is important to verify the current status of the service to ensure it is functioning correctly.

Steps to ensure the correct installation of auditd:

• Installing the control package: Ensure that the audit package has been correctly installed on the system.

• Starting the auditd service: Once the package is installed, start the auditd service with the command:

  # systemctl start auditd 

• Checking the service status: It is essential to check the current status of the auditd service to ensure it is running correctly. This command will provide detailed information about the service’s status, indicating if it is active and functioning without errors.

# systemctl status auditd

• Enabling the service at startup: To ensure that the auditd service starts automatically at each system reboot, you can enable the service with the command:

# systemctl enable auditd

---

Viewing the Logs

Once auditd is configured to record the events of interest, there are various options for viewing the results. By default, auditd logs are saved in /var/log/audit/audit.log, and the quickest method to view the recorded events is to read the raw logs directly from this file.

However, since this file can become very dense, especially with numerous rules, isolating the system calls related to individual events can be complicated. In these cases, it is possible to use the ausearch command for a more precise log analysis.

This tool allows you to filter the logs by specifying various options, remembering that each consecutive flag is interpreted as a logical “and”.

The most common options include:

• The key (specified with -k in the rules described in the previous section)
• Times , to delimit the search interval of events
• User ID
• PID associated with the call

If you are not looking for specific events, it is useful to use the aureport command, which provides readable summaries of events recorded by the daemon. These summaries help identify suspicious events, which can then be further investigated with ausearch.

Using auditctl

Auditctl is a command used to manage and configure the behaviour of the auditd daemon in real-time. It is an integral part of the audit framework on Linux systems, allowing system administrators to set audit rules, view the current status of the rules, and modify the audit configuration without restarting the daemon. Settings made with the auditctl command are temporary and will be lost upon system reboot; to make them persistent, they must be added to the configuration file.

MAIN FUNCTIONS:

• Adding rules: allows adding new audit rules that specify which system events should be monitored.

• Viewing current rules: shows the audit rules currently in effect.

sudo auditctl -l

• Deleting rules: allows removing specific audit rules or all rules.

sudo auditctl -d <rule>
sudo auditctl -D

Auditctl is a versatile and powerful tool for the dynamic management of the audit system on Linux, providing administrators with the necessary flexibility to maintain a high level of security and compliance.

Configuring auditd Rules

To make auditd rules persistent, they must be inserted into the configuration file located under /etc/audit/audit.rules.

• Open the configuration file: Use the terminal to open the audit.rules file. Typically, you need root privileges to modify this file, so use sudo or log in as superuser.

sudo vi /etc/audit/audit.rules

• Add or modify audit rules: Inside the audit.rules file, you can add or modify audit rules. Rules are specified using a particular format that includes the type of rule, filters, and actions to take when a rule is met. For example:ù

-a always,exit -F arch=b64 -S open -F dir=/etc -F perm=wa -k etc_file_access

• Save changes and restart auditd: After making the desired changes to the audit.rules file, save the file and exit the editor. Restart the auditd service to apply the new rules:

sudo systemctl restart auditd

• Verify the new rules: After restarting auditd, it is advisable to verify that the new rules have been correctly applied using the command:

auditctl -l #to list current rules
ausearch #<rulename>      #to search for specific events according to the new rules

Auditd Rules

Audit rules can be divided into several main categories, each with a specific purpose for monitoring various aspects of the system.

File System Watch Rules: monitor access and modifications to specific files or directories.

System Call Rules: monitor specific system calls (syscalls) made by processes.

File Attribute Rules: monitor changes in file attributes.

Control rules

Control rules manage the behaviour of the audit system itself, including buffer limits, error actions, and check frequency.

• -w Watch: specifies the file or directory to monitor. This flag is used to configure a watch on the files or directories you want to monitor.

• -p Permissions: specifies the permissions to monitor on the indicated file or directory with the -w flag. Permissions can include: r: Read, w: Write, x: Execute, a: Attribute changes

• -k Key: assigns a key or identifier to the events generated by this rule. This is useful for filtering and searching specific events in the audit logs.

• -a Action: specifies the action to take for syscall rules. For example, always to always monitor, never to never.

-a always,exit

• -S Syscall: specifies which system call (syscall) should be monitored.
• -F Field: specifies an additional field to monitor, such as the user’s UID or the process’s PID.

-F uid=1000    # monitora gli eventi generati dall'utente con UID 1000

• -i Ignore errors: ignores errors caused by users or files not found in the local environment.

• -b Buffer size: specifies the buffer size for the audit system.

-b dimensione_buffer

• -f Failure mode: specifies what to do in case of an audit system failure.

-f 0|1|2|3

• -r Rate limit: limits the number of audit messages generated per second.

-r rate

Parameters for ausearch

To test that the rules inserted in /etc/audit/audit.rules are working, the ausearch command is used.

Ausearch is a powerful tool that allows you to search and filter logs generated by auditd. It supports a range of parameters that let you specify search criteria based on various attributes of the audit events.

• -k Key: searches for audit events that match the specified key.

ausearch -k passwd_changes

• -ui UID: searches for events generated by the user with the specified UID.

ausearch -ui 1000

• -i Interpret: converts numeric IDs (UID, GID, etc.) to readable names.

ausearch -i

• -pid PID: searches for events generated by the process with the specified PID.

ausearch -pid 1234

For a detailed list of auditd rules, check the following site: Auditd-rules

---

Monitoring New User Creation

Edit the /etc/audit/audit.rules file and insert the new rule to monitor the use of ‘useradd’:

## Add rule to monitor the execution of the 'useradd' command
-w /usr/sbin/useradd -p x -k user_creation

Restart auditd:

systemctl restart auditd

Create a new user to test the changes:

useradd -m new_usr

Check that the command to create a new user has been monitored by auditd:

ausearch -k user_creation

---

Monitoring File or Directory Operations

This operation tracks every modification made to a specific file by any user, whether root or others. The operations are recorded for both a single file and a complete directory.

Open /etc/audit/audit.rules to insert the new rule that monitors the use of ‘useradd’.

Inside /etc/audit/audit.rules, add the rule:

## Monitor changes in the home/root directory
-w /home/root -p rwa -k homeroot

Restart auditd:

systemctl restart auditd

Try interacting with the directory by creating a file:

touch pippo

Check that the command to create a new user has been monitored by auditd:

ausearch -k homeroot

---

Linux audit to monitor the requirements of IEC 62443-4-2

Linux Audit is a powerful tool that can significantly contribute to meeting the requirements of IEC 62443, which is a series of standards focusing on cybersecurity for industrial automation and control systems (IACS)

1. Monitoring and Logging (Security Levels SL 2 to SL 4): IEC 62443 requires robust monitoring and logging mechanisms to detect and respond to security incidents. Linux Audit can help by:

   • Generating Detailed Logs: it captures system calls, file accesses, and user activities, creating comprehensive logs that can be used to trace security events.
   • Real-time Monitoring: it allows real-time monitoring of system activities, which is essential for detecting and responding to incidents promptly.

2. Access Control and User Management: IEC 62443 emphasizes strict access control and user management to prevent unauthorized access.

   • Tracking User Activities: linux Audit records user logins, logouts, and actions, helping to ensure that only authorized users perform sensitive operations.
   • Auditing Privilege Use: it can monitor the use of sudo and other privilege escalation mechanisms, ensuring that administrative privileges are not misused.

3. Configuration and Change Management: maintaining the integrity of system configurations and managing changes are crucial aspects of IEC 62443 compliance.

   • Monitoring Configuration Changes: linux Audit can track changes to critical configuration files, ensuring that any unauthorized or unexpected changes are detected.
   • Baseline Configuration Auditing: regular auditing against a baseline configuration helps in identifying deviations that might indicate a security breach or misconfiguration.

4. Incident Response and Forensics: effective incident response and forensic analysis capabilities are vital for addressing cybersecurity incidents.

   • Detailed Forensic Records: the logs generated by Linux Audit provide a detailed record of system activities, which can be invaluable for post-incident forensic analysis.
   • Correlation with Other Logs: logs from Linux Audit can be correlated with other system and network logs to get a comprehensive view of an incident.

5. Compliance Reporting: IEC 62443 requires maintaining documentation and evidence of security measures.

   • Audit Reports: linux Audit can generate detailed audit reports that document compliance with security policies and standards.
   • Evidence for Auditors: these reports serve as evidence for auditors, demonstrating that appropriate monitoring and logging mechanisms are in place.

6. Integration with Security Information and Event Management (SIEM) Systems: for enhanced security monitoring and analysis, Linux Audit can be integrated with SIEM systems.

   • Centralized Log Management: SIEM integration allows centralized management and analysis of logs, improving the ability to detect and respond to security incidents.
   • Advanced Analytics: SIEM systems can apply advanced analytics to the logs generated by Linux Audit, identifying patterns and anomalies that might indicate security threats.

Implementation Tips for Using Linux Audit with IEC 62443

• Define Clear Audit Rules: specify what needs to be audited, such as access to sensitive files, changes to configuration files, and use of administrative privileges.
• Regularly Review Audit Logs: establish a process for regularly reviewing audit logs to identify and respond to potential security incidents.
• Automate Alerts: set up automated alerts for critical events, such as unauthorized access attempts or configuration changes.
• Maintain Audit Log Integrity: ensure the integrity and security of audit logs, preventing tampering or unauthorized access.
• Documentation and Training: document audit processes and provide training to personnel on using Linux Audit and interpreting audit logs.

KOAN can assist you in integrating audit features into your system to ensure compliance with IEC 62443-4-2 and meet the requirements of the Cyber Security Act (CSA).

---

Author: Sara Cavallini – ©2024 Copyright – KOAN sas