Linux auditing is quite powerful and a lot of different use cases might be handled via the auditing framework. However, in this blog I would like to show you, how to audit changes on trusted files, like \/etc\/passwd or \/etc\/shadow. Of course, you are not limited to these files. You can audit whatever you want. Maybe the sqlnet.ora, the \/etc\/oratab or Oracle wallets are of more interest in your environment.<\/p>\n
Before we start, we got to make sure that the the auditd deamon is enabled and running.<\/p>\n
[root@dbidg03 ~]# systemctl list-unit-files | grep audit\nauditd.service disabled\n\n[root@dbidg03 ~]# systemctl enable auditd\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/auditd.service to \/usr\/lib\/systemd\/system\/auditd.service.\n\n[root@dbidg03 ~]# service auditd start\nRedirecting to \/bin\/systemctl start auditd.service\n\n[root@dbidg03 ~]# ps -ef | grep auditd | grep -v grep\nroot 107 2 0 07:50 ? 00:00:00 [kauditd]\nroot 6772 1 0 13:03 ? 00:00:00 \/sbin\/auditd -n\n\n[root@dbidg03 ~]# auditctl -s\nenabled 1\nfailure 1\npid 6772\nrate_limit 0\nbacklog_limit 64\nlost 0\nbacklog 0\nloginuid_immutable 0 unlocked<\/pre>\nNow we can start implementing our first rules. One for auditing the passwd and on for shadow.<\/p>\n
[root@dbidg03 ~]# auditctl -w \/etc\/passwd -p rwa -k audit_passwd\n[root@dbidg03 ~]# auditctl -w \/etc\/shadow -p rwa -k audit_shadow\n[root@dbidg03 ~]# auditctl -l\n-w \/etc\/passwd -p rwa -k audit_passwd\n-w \/etc\/shadow -p rwa -k audit_shadow<\/pre>\nThe options that I used are, -w, which is the path_to_file. In other words, the file or directory that is audited. The next one is -p. These are the permissions that are logged, which can be:<\/p>\n
Last but not least, -k. This is the key_name which is an optional string. That one is a quite important one. The key_name is a tag that you can assign to your audit rule. Especially when your audit logs are huge, it can help you enormously to identify which rule or set of rules generated a particular log entry. We will see it later, when it comes to audit search, how beneficial the tagging is.<\/p>\n
Be aware that audit rules defined by auditctl are not persistent across reboots. \u00a0You have to include them in the \/etc\/audit\/audit.rules file, in case you want to make them persistent. The beauty of the audit.rule file is, that is uses the same auditctl command line syntax to specify the rules. E.g. you could simply pipe the auditctl output into your audit.rules file, and it works. A good practice, is of course to backup your current audit.rules file.<\/p>\n
[root@dbidg03 rules.d]# pwd\n\/etc\/audit\/rules.d\n[root@dbidg03 rules.d]# auditctl -l > audit.rules<\/pre>\nNow we start doing our first test, by simulating a read on the \/etc\/passwd file by the oracle user.<\/p>\n
oracle@dbidg03:\/home\/oracle\/ [rdbms112] cat \/etc\/passwd<\/pre>\nThe read created immediately a log entry in the audit.log file.<\/p>\n
[root@dbidg03 audit]# tail -50f \/var\/log\/audit\/audit.log\n...\ntype=SYSCALL msg=audit(1495451317.823:32): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc0e042dad \na1=0 a2=1fffffffffff0000 a3=7ffc0e041e30 items=1 ppid=6863 pid=7066 \nauid=54321 uid=54321 gid=54321 euid=54321 suid=54321 fsuid=54321 egid=54321 sgid=54321 \nfsgid=54321 tty=pts2 ses=61 comm=\"cat\" exe=\"\/usr\/bin\/cat\" key=\"audit_passwd\"\ntype=CWD msg=audit(1495451317.823:32): cwd=\"\/home\/oracle\"\ntype=PATH msg=audit(1495451317.823:32): item=0 name=\"\/etc\/passwd\" inode=39423106 dev=fb:00 \nmode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL\ntype=PROCTITLE msg=audit(1495451317.823:32): proctitle=636174002F6574632F706173737764<\/pre>\nThe audit.log is kinda cryptic to read. This is where the ausearch and aureport come into play. E.g. we can combine the tag, which we have created beforehand with a start time.<\/p>\n
[root@dbidg03 rules.d]# ausearch -k audit_passwd --start today | aureport -f\n\nFile Report\n===============================================\n# date time file syscall success exe auid event\n===============================================\n1. 05\/22\/2017 13:07:53 \/etc\/passwd 2 yes \/usr\/sbin\/sshd -1 15\n2. 05\/22\/2017 13:08:37 \/etc\/passwd 2 yes \/usr\/bin\/cat 54321 32\n3. 05\/22\/2017 13:10:01 \/etc\/passwd 2 yes \/usr\/sbin\/crond -1 34\n4. 05\/22\/2017 13:20:01 \/etc\/passwd 2 yes \/usr\/sbin\/crond -1 43<\/pre>\nMaybe, you want to limit the audit search, to display only data about user oracle. To do so, use the –uid switch.<\/p>\n
[root@dbidg03 ~]# getent passwd | grep 54321\noracle:x:54321:54321::\/home\/oracle:\/bin\/bash\n\n[root@dbidg03 rules.d]# ausearch -k audit_passwd --start today --uid 54321 | aureport -f\n\nFile Report\n===============================================\n# date time file syscall success exe auid event\n===============================================\n1. 05\/22\/2017 13:08:37 \/etc\/passwd 2 yes \/usr\/bin\/cat 54321 32<\/pre>\nNow we can see clearly, that user oracle run the cat command on the \/etc\/passwd this midday.<\/p>\n
Conclusion<\/h3>\n
Setting up auditing is not so complicated, however finding your audit logs without tagging is not so easy. That’s why it is very important to give your audit rules meaningful key names (tags).<\/p>\n","protected":false},"excerpt":{"rendered":"
Linux auditing is quite powerful and a lot of different use cases might be handled via the auditing framework. However, in this blog I would like to show you, how to audit changes on trusted files, like \/etc\/passwd or \/etc\/shadow. Of course, you are not limited to these files. You can audit whatever you want. […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,42],"tags":[802],"type_dbi":[],"class_list":["post-10130","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","category-operating-systems","tag-oracle-linux-7"],"acf":[],"yoast_head":"\n
Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow\" \/>\n<meta property=\"og:description\" content=\"Linux auditing is quite powerful and a lot of different use cases might be handled via the auditing framework. However, in this blog I would like to show you, how to audit changes on trusted files, like \/etc\/passwd or \/etc\/shadow. Of course, you are not limited to these files. You can audit whatever you want. […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-05-22T12:27:10+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Oracle Linux 7 – How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow\",\"datePublished\":\"2017-05-22T12:27:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\"},\"wordCount\":503,\"commentCount\":0,\"keywords\":[\"Oracle Linux 7\"],\"articleSection\":[\"Database Administration & Monitoring\",\"Operating systems\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\",\"name\":\"Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2017-05-22T12:27:10+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Oracle Linux 7 – How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/","og_locale":"en_US","og_type":"article","og_title":"Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow","og_description":"Linux auditing is quite powerful and a lot of different use cases might be handled via the auditing framework. However, in this blog I would like to show you, how to audit changes on trusted files, like \/etc\/passwd or \/etc\/shadow. Of course, you are not limited to these files. You can audit whatever you want. […]","og_url":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/","og_site_name":"dbi Blog","article_published_time":"2017-05-22T12:27:10+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Oracle Linux 7 – How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow","datePublished":"2017-05-22T12:27:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/"},"wordCount":503,"commentCount":0,"keywords":["Oracle Linux 7"],"articleSection":["Database Administration & Monitoring","Operating systems"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/","url":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/","name":"Oracle Linux 7 - How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2017-05-22T12:27:10+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-linux-7-how-to-audit-changes-to-a-trusted-file-such-as-etcpasswd-or-etcshadow\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Oracle Linux 7 – How to audit changes to a trusted file such as \/etc\/passwd or \/etc\/shadow"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=10130"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10130\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=10130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=10130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=10130"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=10130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}