Join the community today
Register Now

Featured Centmin Mod Auditd Support Added In Latest 123.09beta01

Discussion in 'Centmin Mod News' started by eva2000, Oct 9, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01 branch after October 9th, 2016 has added Auditd (and optional MariaDB Audit Plugin) setup and configuration for non-openvz systems like KVM, Xen, VMWare, and dedicated servers at tools/auditd.sh. The tools/auditd.sh script is a work in progress for 123.09beta01 so is disabled by default. Instructions for manually enabling it are below. Dedicated discussion thread is here.

    Auditd Documentation & Guides



    How to use and interpret the auditd provided logs is left to end user as there's no support provided by me. The official Redhat documentation applies to CentOS as well so a starting point would be here.
    Then there's a few guides online

    tools/auditd.sh for Auditd



    To be able to use it right now, you need to set in persistent config file /etc/centminmod/custom_config.inc the variable below before running it:
    Code (Text):
    AUDITD_ENABLE='y'


    Full command options available:
    Code (Text):
    ./auditd.sh
    ./auditd.sh {setup|resetup|updaterules|disable_mariadbplugin|enable_mariadbplugin|backup}
    
    Command Usage:
    
    tools/auditd.sh setup
    tools/auditd.sh resetup
    tools/auditd.sh updaterules
    tools/auditd.sh disable_mariadbplugin
    tools/auditd.sh enable_mariadbplugin
    tools/auditd.sh backup
    


    To install and setup tools/auditd.sh run
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh setup

    To reset the auditd configuration i.e. when tools/auditd.sh is updated with new rules, which you want to sync and update, run
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh resetup

    When you add new nginx vhost sites, you may need to add more auditd rules to your current configuration, you could use the above resetup command which wipes existing audit config setup and adds the latest from tools/auditd.sh or you can use below updaterules command - which instead of wiping config, just appends nginx vhost specific new auditd rules to existing config.
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh updaterules


    tools/auditd.sh for MariaDB Audit Plugin




    Update: December 4, 2023 - this hasn't been tested lately so I'd only try MariaDB Audit Plugin on test servers first.

    tools/auditd.sh also has a 2nd component to optionally install (disabled by default) MariaDB's on Audit Plugin. You need to set in persistent config file /etc/centminmod/custom_config.inc the variable below before running it:
    Code (Text):
    AUDIT_MARIADB='y'

    You can also disable MariaDB Audit Plugin later on too via disable_mariadbplugin option
    Code (Text):
    tools/auditd.sh disable_mariadbplugin
    
    Turn Off MariaDB Audit Plugin
    
    Update /etc/my.cnf for server_audit_logging off
    
    MariaDB Audit Plugin Turned Off
    

    You can also re-enable the MariaDB Plugin via enable_mariadbplugin option
    Code (Text):
    tools/auditd.sh enable_mariadbplugin
    
    Turn On MariaDB Audit Plugin
    
    *************************** 1. row ***************************
               PLUGIN_NAME: SERVER_AUDIT
            PLUGIN_VERSION: 1.4
             PLUGIN_STATUS: ACTIVE
               PLUGIN_TYPE: AUDIT
       PLUGIN_TYPE_VERSION: 3.2
            PLUGIN_LIBRARY: server_audit.so
    PLUGIN_LIBRARY_VERSION: 1.11
             PLUGIN_AUTHOR: Alexey Botchkov (MariaDB Corporation)
        PLUGIN_DESCRIPTION: Audit the server activity
            PLUGIN_LICENSE: GPL
               LOAD_OPTION: ON
           PLUGIN_MATURITY: Stable
       PLUGIN_AUTH_VERSION: 1.4.0
    
    Update /etc/my.cnf for server_audit_logging on
    
    MariaDB Audit Plugin Turned On
    
     
    Last edited: Dec 4, 2023
  2. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod Current Auditd Rules Set



    The current configured Auditd rules set is below:

    Code (Text):
    auditctl -l
    -w /etc/audit/ -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp/ -p wa -k audispconfig
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    -w /etc/ssh/sshd_config -p rwxa -k sshd
    -w /etc/passwd -p wa -k passwd_changes
    -w /var/log/lastlog -p wa -k logins_lastlog
    -w /usr/bin/passwd -p x -k passwd_modification
    -w /etc/group -p wa -k group_changes
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /usr/bin/ssh -p x -k ssh-execute
    -w /etc/sudoers -p rw -k priv_esc
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    -w /etc/hosts -p wa -k hosts
    -w /etc/network -p wa -k network
    -w /etc/sysctl.conf -p wa -k sysctl
    -w /etc/cron.allow -p wa -k cron-allow
    -w /etc/cron.deny -p wa -k cron-deny
    -w /etc/cron.d/ -p wa -k cron.d
    -w /etc/cron.daily/ -p wa -k cron-daily
    -w /etc/cron.hourly/ -p wa -k cron-hourly
    -w /etc/cron.monthly/ -p wa -k cron-monthly
    -w /etc/cron.weekly/ -p wa -k cron-weekly
    -w /etc/crontab -p wa -k crontab
    -w /var/spool/cron/root -p rwxa -k crontab_root
    -a always,exit -F arch=b32 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b64 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b32 -S sethostname -F key=hostname
    -a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S sethostname -F key=hostname
    -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -w /usr/local/nginx/conf/ -p wa -k nginxconf_changes
    -w /usr/local/nginx/conf/phpstatus.conf -p wa -k phpstatusconf_changes
    -w /usr/local/etc/php-fpm.conf -p wa -k phpfpmconf_changes
    -w /usr/local/lib/php.ini -p wa -k phpini_changes
    -w /etc/my.cnf -p wa -k mycnf_changes
    -w /root/.my.cnf -p wa -k mycnfdot_changes
    -w /etc/csf/csf.conf -p wa -k csfconf_changes
    -w /etc/csf/csf.pignore -p wa -k csfpignore_changes
    -w /etc/csf/csf.fignore -p wa -k csffignore_changes
    -w /etc/csf/csf.signore -p wa -k csfsignore_changes
    -w /etc/csf/csf.rignore -p wa -k csfrignore_changes
    -w /etc/csf/csf.mignore -p wa -k csfmignore_changes
    -w /etc/csf/csf.ignore -p wa -k csfignore_changes
    -w /etc/csf/csf.dyndns -p wa -k csfdyndns_changes
    -w /etc/centminmod/php.d/ -p wa -k phpconfigscandir_changes
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    -w /usr/local/src/centminmod/ -p wa -k centminmod_installdir
    -w /etc/pure-ftpd/pure-ftpd.conf -p wa -k pureftpd_changes
    -w /etc/init.d/memcached -p wa -k memcachedinitd_changes
    

    Then these are additional auditd system call rules that are dynamically generated and added to persistent auditd rule config file based on detected existing Nginx vhost domain name's log file directory i.e. newdomain.com to log deletions or file rename/moves within /home/nginx/domains/newdomain.com/log

    This is what is added when you run updaterules command, tools/auditd.sh transverses the /home/nginx/domains folders and looks for new vhost domain name's /log directories to append to existing auditd rules.
    Code (Text):
    -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logdeletion
    -a always,exit -F arch=b32 -S rename,renameat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logrename
    -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logdeletion
    -a always,exit -F arch=b64 -S rename,renameat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logrename
    
     
    Last edited: Oct 11, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Auditd Examples



    For example the rule setup to monitor changes to /etc/my.cnf is
    Code (Text):
    -w /etc/my.cnf -p wa -k mycnf_changes
    

    I've been testing tools/auditd.sh MariaDB Plugin on/off switch and that is partially done via sed deletion and echo insertion into /etc/my.cnf file. This will be logged by auditd above rule which has a key named = mycnf_changes. Using ausearch command I can tell it to return all key = mycnf_changes starting from 21:19 time to filter
    Code (Text):
    ausearch -ts 21:19 -k mycnf_changes
    

    output excerpt shows
    Code (Text):
    time->Sun Oct  9 21:19:34 2016
    type=PROCTITLE msg=audit(1476047974.273:155557): proctitle=736564002D69002F7365727665725F61756469745F6C6F6767696E672F64002F6574632F6D792E636E66
    type=PATH msg=audit(1476047974.273:155557): item=4 name="/etc/my.cnf" inode=783916 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
    type=PATH msg=audit(1476047974.273:155557): item=3 name="/etc/my.cnf" inode=783889 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
    type=PATH msg=audit(1476047974.273:155557): item=2 name="/etc/sedGeBdnV" inode=783916 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
    type=PATH msg=audit(1476047974.273:155557): item=1 name="/etc/" inode=783362 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=PATH msg=audit(1476047974.273:155557): item=0 name="/etc/" inode=783362 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=CWD msg=audit(1476047974.273:155557):  cwd="/usr/local/src/centminmod"
    type=SYSCALL msg=audit(1476047974.273:155557): arch=c000003e syscall=82 success=yes exit=0 a0=b6c240 a1=7ffd5bc57752 a2=b6c240 a3=7ffd5bc55440 items=5 ppid=9462 pid=9482 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=15177 comm="sed" exe="/usr/bin/sed" key="mycnf_changes"
    ----
    time->Sun Oct  9 21:19:34 2016
    type=CONFIG_CHANGE msg=audit(1476047974.275:155558): auid=0 ses=15177 op="updated_rules" path="/etc/my.cnf" key="mycnf_changes" list=4 res=1
    ----
    

    Which shows i ran the command that altered /etc/my.cnf from current working directory
    cwd="/usr/local/src/centminmod" via system call type=SYSCALL syscall=82 using executable exe="/usr/bin/sed"
    Code (Text):
    time->Sun Oct  9 21:19:34 2016
    type=PROCTITLE msg=audit(1476047974.275:155560): proctitle=2F62696E2F6261736800746F6F6C732F6175646974642E736800656E61626C655F6D617269616462706C7567696E
    type=PATH msg=audit(1476047974.275:155560): item=1 name="/etc/my.cnf" inode=783889 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    type=PATH msg=audit(1476047974.275:155560): item=0 name="/etc/" inode=783362 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=CWD msg=audit(1476047974.275:155560):  cwd="/usr/local/src/centminmod"
    type=SYSCALL msg=audit(1476047974.275:155560): arch=c000003e syscall=2 success=yes exit=3 a0=791310 a1=441 a2=1b6 a3=fffffff0 items=2 ppid=4883 pid=9462 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=15177 comm="auditd.sh" exe="/usr/bin/bash" key="mycnf_changes"

    This one shows i ran system call type=SYSCALL syscall=2 from exe="/usr/bin/bash" the auditd.sh script comm="auditd.sh" from current working directory cwd="/usr/local/src/centminmod"

    You can use command ausystcall to find out what syscall numbers are or pipe ausearch output through aureport (example below)
    Code (Text):
    ausyscall --dump
    

    Code (Text):
    2       open
    82      rename
    

    You can also pipe the ausearch output through aureport command to have summary of syscalls
    Code (Text):
    ausearch -ts 21:19 -k mycnf_changes | aureport -f -i

    example
    Code (Text):
    ausearch -ts 21:19 -k mycnf_changes | aureport -f -i
    
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 10/09/2016 21:19:34 /etc/my.cnf rename yes /usr/bin/sed root 155557
    2. 10/09/2016 21:19:34 /etc/my.cnf ? yes ? root 155558
    3. 10/09/2016 21:19:34 /etc/my.cnf rename yes /usr/bin/sed root 155559
    4. 10/09/2016 21:19:34 /etc/my.cnf open yes /usr/bin/bash root 155560
    5. 10/09/2016 21:19:34 /etc/my.cnf open yes /usr/bin/bash root 155561
    6. 10/09/2016 21:19:34 /etc/my.cnf ? yes ? root 155556


    Another example is the auditd rule for monitoring /etc/hosts file changes. I just made a change to the /etc/hosts file and with auditd rule below in place with key = hosts
    Code (Text):
    -w /etc/hosts -p wa -k hosts

    Code (Text):
    ausearch -ts 22:20 -k hosts

    Code (Text):
    ausearch -ts 22:20 -k hosts 
    ----
    time->Sun Oct  9 22:29:15 2016
    type=PROCTITLE msg=audit(1476052155.395:157342): proctitle=6E616E6F002D77002F6574632F686F737473
    type=PATH msg=audit(1476052155.395:157342): item=1 name="/etc/hosts" inode=784362 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    type=PATH msg=audit(1476052155.395:157342): item=0 name="/etc/" inode=783362 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=CWD msg=audit(1476052155.395:157342):  cwd="/root"
    type=SYSCALL msg=audit(1476052155.395:157342): arch=c000003e syscall=2 success=yes exit=3 a0=15afd50 a1=441 a2=1b6 a3=63 items=2 ppid=13887 pid=13981 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=15336 comm="nano" exe="/usr/bin/nano" key="hosts"
    ----
    time->Sun Oct  9 22:29:34 2016
    type=PROCTITLE msg=audit(1476052174.123:157343): proctitle=6E616E6F002D77002F6574632F686F737473
    type=PATH msg=audit(1476052174.123:157343): item=1 name="/etc/hosts" inode=784362 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    type=PATH msg=audit(1476052174.123:157343): item=0 name="/etc/" inode=783362 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=CWD msg=audit(1476052174.123:157343):  cwd="/root"
    type=SYSCALL msg=audit(1476052174.123:157343): arch=c000003e syscall=2 success=yes exit=3 a0=15b2bc0 a1=241 a2=1b6 a3=7ffee25ee8e0 items=2 ppid=13887 pid=13981 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=15336 comm="nano" exe="/usr/bin/nano" key="hosts"

    piping it through aureport
    Code (Text):
    ausearch -ts 22:20 -k hosts | aureport -f -i

    Code (Text):
    ausearch -ts 22:20 -k hosts | aureport -f -i
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 10/09/2016 22:29:15 /etc/hosts open yes /usr/bin/nano root 157342
    2. 10/09/2016 22:29:34 /etc/hosts open yes /usr/bin/nano root 157343
     
    Last edited: Oct 10, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    MariaDB Audit Plugin Example



    MariaDB Audit Plugin can be very verbose in logging so you may want to leave it disabled which is the default.

    I'd updated it to just log connect and query_dml (INSERT/UPDATES) so an example when i used MySQL/MariaDB's native mysqlslap command to generate some sql workload and sql file

    Code (Text):
    Database Name ? sbtest
    Drop Database If Exists ? y/n: y
    Which Storage Engine ? innodb
    Number of Secondary Indexes ? 4
    Number of Int Col ? 4
    Number of Char Col ? 4
    Number of Queries ? 1000
    mysqlslap.sql created
    -rw-r--r--   1 root root 388K Oct  9 20:45 mysqlslap.sql
    +------------+----------------+----------------+-----------+------------+--------+
    | Table Name | Number of Rows | Storage Engine | Data Size | Index Size | Total  |
    +------------+----------------+----------------+-----------+------------+--------+
    | sbtest.t1  | 644 Rows       | InnoDB         | 0.02MB    | 0.06MB     | 0.08MB |
    +------------+----------------+----------------+-----------+------------+--------+


    Code (Text):
    tail -6 /var/lib/mysql/server_audit.log
    20161009 20:45:59,host.domain.com,root,localhost,6,1758,QUERY,sbtest,'INSERT INTO t1 VALUES (NULL,uuid(),uuid(),uuid(),uuid(),166730292,284589771,1502859928,1209427991,\'BFb8ySFkYGWQmhKxeRC55ORSNWGbLceYsEhiaoIy4gOiMlfs4rxA7GeMnmp0ESZ6a6g8mz7jXNPt85mDwbN4ktIXf8XlcwkAuOAZF9GnZZYZeAmRm1NWuhtPpG3P5n\',\'RrBWOJXYy46WWkhG3JAQhw8QEpaH7f4QN7wfISCGOInuuK3qX5G41GM76wG5SCXrKKMWgan4kQrXmmL9rTDkmbskN8prLCaZYx3CNiH880XumsvTL8Dzbxbz6GiJTH\',\'k16n6TMFdWF8HtsCM6DRxoPZfNhEiAXQ4T5AyRPSyYS7PLJfJO6G5XpkuXycZLuTqsfhBw91Sd8lqSO9sXQx27apWOHweCPKw517t29EgHzMdGYMnyJhxlWS2gOgsp\',\'0gmunYwwmSEdrrtFDg5PE22cM4Gek0Kdg6XSWJGGoWuXEneJKjcQlf20jBeKBypkxK4RXKkBrWax9CGTvlvZOqZz13BC20orCsIcDunwGMtQa1vMmjn2ZKuaFxe9yR\')',0
    20161009 20:45:59,host.domain.com,root,localhost,6,0,DISCONNECT,sbtest,,0
    20161009 20:45:59,host.domain.com,root,localhost,7,0,CONNECT,,,0
    20161009 20:45:59,host.domain.com,root,localhost,7,1760,QUERY,,'select @@version_comment limit 1',0
    20161009 20:45:59,host.domain.com,root,localhost,7,1761,QUERY,,'SELECT CONCAT(table_schema,\'.\',table_name) AS \'Table Name\', CONCAT(ROUND(table_rows,2),\' Rows\') AS \'Number of Rows\',ENGINE AS \'Storage Engine\',CONCAT(ROUND(data_length/(1024*1024),2),\'MB\') AS \'Data Size\',CONCAT(ROUND(index_length/(1024*1024),2),\'MB\') AS \'Index Size\' ,CONCAT(ROUND((data_length+index_length)/(1024*1024),2),\'MB\') AS\'Total\'FROM information_schema.TABLES WHERE table_schema LIKE \'sbtest\'',0
    20161009 20:45:59,host.domain.com,root,localhost,7,0,DISCONNECT,,,0
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Adding Custom Auditd Rules



    Example to monitor Xenforo forum's library directory and below for write modifications just drop a custom rule into /etc/audit/rules.d/xf.rules or append to main /etc/audit/rules.d/audit.rules file for CentOS 7 or /etc/audit/audit.rules file for CentOS 6 or you can create a temporarily rule via command line that doesn't persist.

    To create temporarily rule via command line
    Code (Text):
    auditctl -w /home/nginx/domains/domain.com/public/library -p wa -k xf-library-writemods
    

    To remove temporary rule via command line replace lower case -w with upper case -W
    Code (Text):
    auditctl -W /home/nginx/domains/domain.com/public/library -p wa -k xf-library-writemods
    


    For persistent rule, add into /etc/audit/rules.d/xf.rules file or for CentOS 7 might be better to add to /etc/audit/rules.d/audit.rules file o for CentOS 6 to /etc/audit/audit.rules file the following rule
    Code (Text):
    -w /home/nginx/domains/domain.com/public/library -p wa -k xf-library-writemods

    or if you want to track writes and modifications to entire web root change the full path to just webroot and change the auditd key to xf-webroot-writemods
    Code (Text):
    -w /home/nginx/domains/domain.com/public -p wa -k xf-webroot-writemods

    then run updaterules command
    Code (Text):
    ./auditd.sh updaterules

    Code (Text):
    tools/auditd.sh updaterules
    
    auditd rules list
    
    ...snipped...
    
    -w /home/nginx/domains/domain.com/public/library/ -p wa -k xf-library-writemods
    
    auditd rules updated
    

    Using ausearch to filter on the key = xf-library-writemods or xf-webroot-writemods
    Code (Text):
    ausearch -k xf-library-writemods
    ----
    time->Mon Oct 10 00:54:09 2016
    type=CONFIG_CHANGE msg=audit(1476060849.639:2492579): auid=0 ses=334255 op="add_rule" key="xf-library-writemods" list=4 res=1
    

    here only entry is for the updaterules command itself adding the rule to auditd op="add_rule"
     
    Last edited: Oct 11, 2016
  6. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Auditd Authentication Reports



    Auditd can also tally up and display reports of your authentication stats i.e. sshd logins via aureport command

    All authentication logs
    Code (Text):
    aureport -au -i
    

    Only successfully authenticated ones
    Code (Text):
    aureport -au -i --success
    

    Failed authentication ones
    Code (Text):
    aureport -au -i --failed
    

    Login specific failures
    Code (Text):
    aureport -l --failed
    

    Login specific successes
    Code (Text):
    aureport -l --success
    

    Login user summary
    Code (Text):
    aureport -l --success --summary -i
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated 123.09beta01 tools/auditd.sh buffer and rate limit settings.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    11:44 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.