Working with the Audit Log

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

Understanding the popular Linux auditing system Auditd is important for being able to efficiently and effectively monitor IT systems. The Auditd package allows fine-tuned monitoring that is crucially important for security applications such as host intrusion detection. In this hands-on lab, we will create and use custom audit rules to monitor sensitive configuration files.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.

Run the following commands:

  • auditctl -w /etc/passwd -p w -k userwatch
  • auditctl -w /sbin/visudo -p x -k sudowatch
  • auditctl -w /etc/sudoers -p rw -k sudowatch
Generate an audit rule list in `/home/cloud_user/rules.txt`.

Run the command: auditctl -l > /home/cloud_user/rules.txt

Generate logs by creating a new user and running the `visudo` command.

Run the following commands:

  • useradd bob
  • visudo
Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and `sudowatch`, respectively.

Run the following commands:

  • ausearch -k userwatch > /home/cloud_user/userwatch.txt
  • ausearch -k sudowatch > /home/cloud_user/sudowatch.txt

Additional Resources

You have been asked to develop an improved audit policy to monitor user creation as well as sudo privilege. You must configure Auditd to watch for writes to /etc/passwd and audit them using the userwatch key. You need to audit any reads or writes to /etc/sudoers using the sudowatch key. You also need to watch for executions of /sbin/visudo using the sudowatch key as well.

Once the audit rules are active, write the live rule set to /home/cloud_user/rules.txt using the auditctl command. Then you will need to test them by creating a user and running the visudo command. You will need to generate a report for both the userwatch and the sudowatch audit keys using the ausearch command. The userwatch key output should be written to /home/cloud_user/userwatch.txt and the sudowatch key output should be written to /home/cloud_usre/sudowatch.txt.

Summary tasks list:

  • Create audit rules to watch /etc/passwd, /etc/sudoers/, and /sbin/visudo for appropriate properties.

  • Generate an audit rule list in /home/cloud_user/rules.txt.

  • Generate logs by creating a new user and running the visudo command.

  • Generate the userwatch.txt and sudowatch.txt reports in /home/cloud_user by using the established audit keys userwatch and sudowatch, respectively.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!