Design Custom Logging for the Listed Events

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

This lab is related to logs. We need to create a custom logging solution to monitor for a set of specific system calls of a process listed in the lab specifications. All of this should be logged under `/log/var` and the name of the file is arbitrary. We need to monitor and log all attempts to write a given file (also provided in the lab specifications). We also need to monitor and log all attempts by a user to access a domain.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log System Calls of a Process –

Get Process ID

ps aux | grep sysCalls
sudo auditctl -a always,exit -S all -F pid=[PID] -k [your key]
Log Attempts to Access a File – /home/cloud_user/test_file.txt
sudo auditctl -a always,exit -F path=/home/cloud_user/test_file.txt -F perm=wa -k [your key]
Log Open Files by cloud_user
sudo auditctl -a always,exit -S openat -F auid=[UID] -k [your key]
Make Sure the Rules Will Survive a Reboot

Get the path of the auditd systemd file – it will be at the top of the output

sudo systemctl cat auditd.service 
sudo cp /usr/lib/systemd/system/auditd.service /etc/systemd/system/auditd.service
sudo vim /etc/systemd/system/auditd.service

Comment out ExecStartPost=-/sbin/augenrules --load

Uncomment ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules


Make the rules permanent

sudo vim /etc/audit/audit.rules
-a always,exit -S all -F pid=[PID] -k [your key]
-a always,exit -F path=/home/cloud_user/test_file.txt -F perm=wa -k [your key]
-a always,exit -S openat -F auid=[UID] -k [your key]

Find the log entries in the log files with the key we’ve used

sudo ausearch -k [your key]

Additional Resources

Lab Conditions

  • sshd server is running.
  • audit is up and running.

Lab Overall Objectives

  • Log system calls of a process
  • Log attempts to access a file
    • /home/cloud_user/test_file.txt
  • Make sure the rules will survive a reboot
  • Log open files by cloud_user

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?