Auditd & SELinux Logging

TL;DR

This guide shows you how to check if auditd is logging SELinux events and how to configure it to do so effectively. We’ll cover checking the current setup, enabling SELinux auditing, and searching logs.

1. Check Current Auditd Configuration

First, let’s see if auditd is already configured to log SELinux events. The main configuration file is /etc/audit/auditd.conf. You’ll need root privileges (use sudo) for these steps.

1. Check the rules file: The rules are in /etc/audit/rules.d/. Look for files related to SELinux, like selinux.rules or similar.
2. Examine auditd.conf: Open the configuration file with a text editor:

   sudo nano /etc/audit/auditd.conf

   Look for lines that define what is being logged. Key settings include space_left (disk space), max_log_file and max_log_file_size.

3. Check if SELinux events are included: A basic configuration will often have a rule to log AVC denials. You can check this by looking for entries in the rules files that include -w /var/log/audit/audit.log -p wa -k selinux or similar.

2. Enabling SELinux Auditing (If Not Already Enabled)

If SELinux auditing isn’t enabled, you need to add a rule to /etc/audit/rules.d/selinux.rules or create the file if it doesn’t exist.

1. Create or edit selinux.rules:

   sudo nano /etc/audit/rules.d/selinux.rules

2. Add the following rule: This logs all SELinux AVC denials.

   -w /var/log/audit/audit.log -p wa -k selinux

   This line tells auditd to watch (-w) the audit log file, with write access (-p wa), and tag these events with the key selinux (-k selinux).

3. Restart auditd: Apply the changes by restarting the auditd service.

   sudo systemctl restart auditd

3. Verify SELinux Auditing is Working

To confirm that auditing is working, trigger an SELinux denial and check the logs.

1. Trigger a Denial: The easiest way to do this depends on your system’s SELinux policy. A common method is trying to access a file with incorrect permissions. For example:

   sudo touch /etc/shadow

   This will likely be blocked by SELinux, generating an AVC denial.

2. Check the Audit Log: Use ausearch to find the event.

   sudo ausearch -k selinux

   This command searches the audit log for events tagged with the ‘selinux’ key. You should see an entry related to your attempted access.

3. Alternative search: You can also search by time:

   sudo ausearch -ts today -k selinux

   This searches for SELinux events from today.

4. Understanding Audit Log Output

The audit log entries are detailed, but here’s a breakdown of key fields:

• type: Indicates the type of event (e.g., AVC for Access Vector Cache denial).
• msg: Contains details about the denied operation, including the process involved and the resources being accessed.
• comm: The command name that triggered the event.
• exe: The full path to the executable.
• subj: The subject (user/process) attempting the action.

5. Useful Ausearch Options

• By User ID: sudo ausearch -ua
• By Process Name: sudo ausearch -c
• By File Path: sudo ausearch -f