This lab is related to logs. We need to create a custom logging solution to monitor for a set of specific system calls of a process listed in the lab specifications. All of this should be logged under `/log/var` and the name of the file is arbitrary. We need to monitor and log all attempts to write a given file (also provided in the lab specifications). We also need to monitor and log all attempts by a user to access a domain.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Log System Calls of a Process – sysCalls.py
Get Process ID
ps aux | grep sysCallssudo auditctl -a always,exit -S all -F pid=[PID] -k [your key]- Log Attempts to Access a File – /home/cloud_user/test_file.txt
sudo auditctl -a always,exit -F path=/home/cloud_user/test_file.txt -F perm=wa -k [your key]- Log Open Files by cloud_user
sudo auditctl -a always,exit -S openat -F auid=[UID] -k [your key]- Make Sure the Rules Will Survive a Reboot
Get the path of the
auditd systemdfile – it will be at the top of the outputsudo systemctl cat auditd.servicesudo cp /usr/lib/systemd/system/auditd.service /etc/systemd/system/auditd.servicesudo vim /etc/systemd/system/auditd.serviceComment out
ExecStartPost=-/sbin/augenrules --loadUncomment
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rulesESC :wq ENTERMake the rules permanent
sudo vim /etc/audit/audit.rules-a always,exit -S all -F pid=[PID] -k [your key] -a always,exit -F path=/home/cloud_user/test_file.txt -F perm=wa -k [your key] -a always,exit -S openat -F auid=[UID] -k [your key]ESC :wq ENTERFind the log entries in the log files with the key we’ve used
sudo ausearch -k [your key]
