In this post I am going to describe how I was configuring auditd service in Ubuntu Linux 12.04 server and the challenges I faced during this process.
Auditd was the most difficult part of preparing server for PCI DSS. I hope this information will help other administrators :)
Although, this is not a comprehensive guide and it does not consider many details, I suppose, it can serve as a good start.
Caution: this configuration is excessive and is able to cause a lot of log data.
Auditd allows us to monitor two types of staff: system calls and files. With files everything is pretty much clear. However the syscalls are the main challenge.
General description of auditd can be found in man pages and Google. Here I will post just my configuration with some comments.
Section 10.2 of PCI DSS standard and its subsections define what events should be logged.
Here is my /etc/audit/audit.rules file:
-a exclude,always -F msgtype=CWD
This rule exclude excessive messages
10.2.2
All actions taken by any individual with root or administrative privileges
Thus, any append or write operations to system level objects will be logged.
Auditd was the most difficult part of preparing server for PCI DSS. I hope this information will help other administrators :)
Although, this is not a comprehensive guide and it does not consider many details, I suppose, it can serve as a good start.
Caution: this configuration is excessive and is able to cause a lot of log data.
Auditd allows us to monitor two types of staff: system calls and files. With files everything is pretty much clear. However the syscalls are the main challenge.
General description of auditd can be found in man pages and Google. Here I will post just my configuration with some comments.
Section 10.2 of PCI DSS standard and its subsections define what events should be logged.
Here is my /etc/audit/audit.rules file:
-a exclude,always -F msgtype=CWD
This rule exclude excessive messages
10.2.2
All actions taken by any individual with root or administrative privileges
-a exit,always -S all -F euid=0 -F perm=wxa -k root
What we have here is all system calls made by root or via sudo and connected with writing, appending or executing will be logged. If you use auid instead of euid, syscalls run via sudo will not be logged. In order to test it you just need to make any action under root user.
What we have here is all system calls made by root or via sudo and connected with writing, appending or executing will be logged. If you use auid instead of euid, syscalls run via sudo will not be logged. In order to test it you just need to make any action under root user.
10.2.3
Access to all audit trails -a always,exit -S all -F dir=/logarchive -F perm=wra -k logs-archive
-a always,exit -S all -F dir=/var/log/audit -F perm=wra -k audit-logs
-w /var/log/auth.log -p wra -k logs
-w /var/log/syslog -p wra -k logs
All access to logs, including reading, should be watched. For monitoring a whole directory it is better to use syscals and dir filter instead of -w option, because variant with syscalls will show the name of affected file and -w variant will not.
10.2.4
Invalid logical access attempts
-a always,exit -F arch=b64 -S all -F exit=-13 -k access
Access to all audit trails -a always,exit -S all -F dir=/logarchive -F perm=wra -k logs-archive
-a always,exit -S all -F dir=/var/log/audit -F perm=wra -k audit-logs
-w /var/log/auth.log -p wra -k logs
-w /var/log/syslog -p wra -k logs
All access to logs, including reading, should be watched. For monitoring a whole directory it is better to use syscals and dir filter instead of -w option, because variant with syscalls will show the name of affected file and -w variant will not.
10.2.4
Invalid logical access attempts
-a always,exit -F arch=b64 -S all -F exit=-13 -k access
How auditors test it: for example: read /etc/shadow from standard user login, write to /etc/passwd, create a file in a folder with restrictions, all these events produce exit status -13 when permission is denied and consequently logged.
10.2.7
Creation and deletion of system level objects.
According to Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms System-level object has the following definition:
Anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL‹s, system executables, device drivers and device coniguration files, and added third-party components.
-a always,exit -S all -F dir=/etc -F perm=wa -k system
-a always,exit -S all -F dir=/boot -F perm=wa -k system
-a always,exit -S all -F dir=/usr/lib -F perm=wa -k system
-a always,exit -S all -F dir=/bin -F perm=wa -k system
-a always,exit -S all -F dir=/lib -F perm=wa -k system
-a always,exit -S all -F dir=/lib64 -F perm=wa -k system
-a always,exit -S all -F dir=/sbin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/bin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/sbin -F perm=wa -k system
10.2.7
Creation and deletion of system level objects.
According to Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms System-level object has the following definition:
Anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL‹s, system executables, device drivers and device coniguration files, and added third-party components.
-a always,exit -S all -F dir=/etc -F perm=wa -k system
-a always,exit -S all -F dir=/boot -F perm=wa -k system
-a always,exit -S all -F dir=/usr/lib -F perm=wa -k system
-a always,exit -S all -F dir=/bin -F perm=wa -k system
-a always,exit -S all -F dir=/lib -F perm=wa -k system
-a always,exit -S all -F dir=/lib64 -F perm=wa -k system
-a always,exit -S all -F dir=/sbin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/bin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/sbin -F perm=wa -k system
Thus, any append or write operations to system level objects will be logged.
