{"description": "The audit service provides substantial capabilities\nfor recording system activities. By default, the service audits about\nSELinux AVC denials and certain types of security-relevant events\nsuch as system logins, account modifications, and authentication\nevents performed by programs such as sudo.\nUnder its default configuration, auditd has modest disk space\nrequirements, and should not noticeably impact system performance.\n
\nNOTE: The Linux Audit daemon auditd can be configured to use\nthe augenrules program to read audit rules files (*.rules)\nlocated in /etc/audit/rules.d location and compile them to create\nthe resulting form of the /etc/audit/audit.rules configuration file\nduring the daemon startup (default configuration). Alternatively, the auditd\ndaemon can use the auditctl utility to read audit rules from the\n/etc/audit/audit.rules configuration file during daemon startup,\nand load them into the kernel. The expected behavior is configured via the\nappropriate ExecStartPost directive setting in the\n/usr/lib/systemd/system/auditd.service configuration file.\nTo instruct the auditd daemon to use the augenrules program\nto read audit rules (default configuration), use the following setting:\n
ExecStartPost=-/sbin/augenrules --load
\nin the /usr/lib/systemd/system/auditd.service configuration file.\nIn order to instruct the auditd daemon to use the auditctl\nutility to read audit rules, use the following setting:\n
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
\nin the /usr/lib/systemd/system/auditd.service configuration file.\nRefer to [Service] section of the /usr/lib/systemd/system/auditd.service\nconfiguration file for further details.\n
\nGovernment networks often have substantial auditing\nrequirements and auditd can be configured to meet these\nrequirements.\nExamining some example audit records demonstrates how the Linux audit system\nsatisfies common requirements.\nThe following example from Red Hat Enterprise Linux 7 Documentation available at\n\n https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\nshows the substantial amount of information captured in a\ntwo typical \"raw\" audit messages, followed by a breakdown of the most important\nfields. In this example the message is SELinux-related and reports an AVC\ndenial (and the associated system call) that occurred when the Apache HTTP\nServer attempted to access the /var/www/html/file1 file (labeled with\nthe samba_share_t type):\ntype=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm=\"httpd\"\npath=\"/var/www/html/file1\" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0\ntcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file\n\ntype=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13\na0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48\ngid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm=\"httpd\"\nexe=\"/usr/sbin/httpd\" subj=unconfined_u:system_r:httpd_t:s0 key=(null)\n\n\n- msg=audit(1226874073.147:96)\n
- The number in parentheses is the unformatted time stamp (Epoch time)\nfor the event, which can be converted to standard time by using the\ndate command.\n
\n \n- { getattr }\n
- The item in braces indicates the permission that was denied. getattr\nindicates the source process was trying to read the target file's status information.\nThis occurs before reading files. This action is denied due to the file being\naccessed having the wrong label. Commonly seen permissions include getattr,\nread, and write.
\n \n- comm=\"httpd\"\n
- The executable that launched the process. The full path of the executable is\nfound in the exe= section of the system call (SYSCALL) message,\nwhich in this case, is exe=\"/usr/sbin/httpd\".\n
\n \n- path=\"/var/www/html/file1\"\n
- The path to the object (target) the process attempted to access.\n
\n \n- scontext=\"unconfined_u:system_r:httpd_t:s0\"\n
- The SELinux context of the process that attempted the denied action. In\nthis case, it is the SELinux context of the Apache HTTP Server, which is running\nin the httpd_t domain.\n
\n \n- tcontext=\"unconfined_u:object_r:samba_share_t:s0\"\n
- The SELinux context of the object (target) the process attempted to access.\nIn this case, it is the SELinux context of file1. Note: the samba_share_t\ntype is not accessible to processes running in the httpd_t domain.
\n
\n \n- From the system call (SYSCALL) message, two items are of interest:\n
- success=no: indicates whether the denial (AVC) was enforced or not.\nsuccess=no indicates the system call was not successful (SELinux denied\naccess). success=yes indicates the system call was successful - this can\nbe seen for permissive domains or unconfined domains, such as initrc_t\nand kernel_t.\n
\n- exe=\"/usr/sbin/httpd\": the full path to the executable that launched\nthe process, which in this case, is exe=\"/usr/sbin/httpd\".\n
\n
", "warnings": [], "requires": [], "conflicts": [], "values": ["var_audit_backlog_limit"], "groups": ["auditd_configure_rules", "configure_auditd_data_retention", "file_permissions_auditd", "policy_rules"], "rules": ["coreos_audit_backlog_limit_kernel_argument", "coreos_audit_option", "grub2_audit_argument", "grub2_audit_backlog_limit_argument", "package_audispd-plugins_installed", "package_audit-audispd-plugins_installed", "package_audit-libs_installed", "package_audit_installed", "service_auditd_enabled"], "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "title": "System Accounting with auditd", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/group.yml"}