Thursday, June 16, 2016

Linux -- auditing in Linux, auditd, setfacl - Linux ACLs

Recently, we were required to audit the file and directory accesses in Linux.
We had to audit the accesses the directory accesses and record them into files that can't be accessed except the root user and an OS account which is currently used by an auditing application .

What we have done is, we enabled auditd, which is the userspace component to the Linux Auditing System.

Manual of auditd:

We have configured the auditd to audit all the access types for some given directories and rotate the audit log files that it creates in a timely manner and keep them for 90 days. (we have done this using auditd configuration file called /etc/audit/auditd.conf  and the audit rules file called /etc/audit/audit.rules )

One of the requirements was as already mentioned; the audit log files which auditd was populating with the audit information, must not  be accessed except the root user and an OS account which was used by an auditing application.
auditd was creating the files in the /var/log/audit directory with the directory permissions 600. So root could read them but the  OS account which was used by the auditing application could not.
So in order to give a read permission for this directory and files, we used Linux ACLS.
We have used setfacl utility to give read permission to that specific user for the audit log directory and the files stored in it. (another unfavourable method could be modifying /etc/audit/auditd.conf and changing the log_group from root to the group of Os account that is used by the auditing application) One thing which was important was, in Linux to change into a directory or list its content or read a file in it,  the user needs to have execute permissions on that directory. 
So we had to give the execute permission in addition to the read permission to the that user for that directory . (command was something like this: setfacl -Rm u:B:rx /var/log/audit.

Note that, Linux ACLs can be used for defining the directory and file permissions automatically, when they are created. That is using ACLs we can make the files to be in any permission we want and it will be done on-the-fly.  (you can set it and then test it using a simple command like "touch examplefile") . We actually use setfacl's "-d" option for this.

-d, --defaultAll operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL entries. Default ACL entries in the input set are discarded. (A warning is issued if that happens).

Manual of setfacl :

No comments :

Post a Comment