AuditD Syscall Monitoring

TL;DR

This guide shows you how to set up AuditD on Linux to monitor system calls and generate alerts when specific, potentially malicious activities occur. We’ll focus on practical rules for common security events.

1. Install AuditD

Most Linux distributions include AuditD by default. If not, install it using your package manager:

• Debian/Ubuntu:

  sudo apt update && sudo apt install auditd

• CentOS/RHEL/Fedora:

  sudo yum install audit

  or

  sudo dnf install audit

After installation, start and enable the AuditD service:

sudo systemctl start auditd

sudo systemctl enable auditd

2. Configure Audit Rules

Audit rules are defined in files under /etc/audit/rules.d/. Create a new rule file (e.g., syscall_alerts.rules) or edit an existing one.

Here are some example rules:

2.1 Monitor Executable File Changes

This rule logs when executable files are modified, created, or deleted.

-w /usr/bin -p wa -k exec_changes

• -w /usr/bin: Watch the /usr/bin directory.
• -p wa: Log write (w) and attribute changes (a).
• -k exec_changes: Assign a key for easy searching later.

2.2 Monitor System Call execve

The execve system call is used to execute programs. Monitoring it can detect malicious program launches.

-a always,exit -F arch=b64 -S execve -k exec_calls

• -a always,exit: Log on entry and exit of the system call.
• -F arch=b64: Filter for 64-bit architecture (adjust if needed).
• -S execve: Monitor the execve system call.
• -k exec_calls: Assign a key.

2.3 Monitor System Call open

The open syscall is used to open files. Monitoring it can detect access to sensitive files.

-a always,exit -F arch=b64 -S open -k file_accesses

• -a always,exit: Log on entry and exit of the system call.
• -F arch=b64: Filter for 64-bit architecture (adjust if needed).
• -S open: Monitor the open system call.
• -k file_accesses: Assign a key.

3. Reload Audit Rules

After adding or modifying rules, reload them:

sudo auditctl -R /etc/audit/rules.d/syscall_alerts.rules

To check if the rules are loaded correctly:

sudo auditctl -l

4. View Audit Logs

Audit logs are stored in /var/log/audit/audit.log.

Use ausearch to search for specific events:

• Search by key:

  sudo ausearch -k exec_changes

• Search by system call:

  sudo ausearch -c execve

5. Set up Alerts (Example using auditd-report)

While AuditD itself doesn’t provide real-time alerting, you can use tools to parse the logs and trigger alerts.

Here’s a simple example using auditd-report. This isn’t real-time but demonstrates how to extract information for alert creation:

5.1 Create a Report Script

Create a script (e.g., check_execve.sh) to check for unusual execve calls:

#!/bin/bash
# Check for execve events in the last hour
ausarch -c execve -ts recent | grep 'comm=' > /tmp/execve_log
if [ -s /tmp/execve_log ]; then
echo "Possible unusual execve calls detected!"
  mail -s "AuditD Alert: Unusual Execve Calls" your_email@example.com < /tmp/execve_log
fi
rm /tmp/execve_log

Make the script executable:

chmod +x check_execve.sh

5.2 Schedule the Script

Use cron to run the script periodically (e.g., every hour):

crontab -e

Add a line like this:

0 * * * * /path/to/check_execve.sh

6. Further Considerations

• Performance: Too many rules can impact system performance. Start with essential rules and add more as needed.
• Log Rotation: Ensure audit logs are rotated to prevent disk space issues. Configure this in /etc/audit/auditd.conf.
• Centralized Logging: Consider sending AuditD logs to a centralized logging server (e.g., using rsyslog or syslog-ng) for better analysis and alerting.
• Cyber security tools like OSSEC, Wazuh, or Splunk can integrate with AuditD for more advanced monitoring and alerting capabilities.