The word “auditing” is used in most technologies in a variety of contexts. As a SOC analyst, I hear the term “log auditing” at least a dozen times throughout a work shift. Mostly it will be related to Linux audit logs. The Linux Audit system is a useful feature for tracking security-related information. By using Linux auditing, all the machine/server behaviour can be monitored. The file /var/log/audit/audit.log contains log entries from the Audit system. There are moments when I truly can’t tell which event log is what. Since Linux audit logs differ greatly from Windows audit logs, most of us will find it difficult to understand it. However, handling Linux audit logs is simple if we are familiar with every field. I already published a blog article about a Linux Audit Logs cheatsheet. I discussed how to analyse Linux audit logs in that blog post, along with a brief explanation of each field name. I’ll now go over how to determine the activity it was associated with.
Every Linux audit log will have a field named “Type” that can be used to quickly identify the type of the activity. The list that follows will help to identify the type of activity in the Linux audit log:
Note:
- Every audit event type that ends in RESP is meant to be a response from an intrusion detection system if it finds malicious activity on the system.
- This kind of event is associated with the Integrity Measurement Architecture (IMA), which operates most effectively when paired with a Trusted Platform Module (TPM) chip.
- An intrusion detection application is meant to process all audit event kinds that are prepended with ANOM.
| Event Type | Explanation |
| ACCT_LOCK | Triggered when a user-space user account is locked by the administrator. |
| ACCT_UNLOCK | Triggered when a user-space user account is unlocked by the administrator. |
| ADD_GROUP | Triggered when a user-space group is added. |
| ADD_USER | Triggered when a user-space user account is added. |
| ANOM_ABEND1 | Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled). |
| ANOM_ACCESS_FS1 | Triggered when a file or a directory access ends abnormally. |
| ANOM_ADD_ACCT1 | Triggered when a user-space account addition ends abnormally. |
| ANOM_AMTU_FAIL1 | Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected. |
| ANOM_CRYPTO_FAIL1 | Triggered when a failure in the cryptographic system is detected. |
| ANOM_DEL_ACCT1 | Triggered when a user-space account deletion ends abnormally. |
| ANOM_EXEC1 | Triggered when an execution of a file ends abnormally. |
| ANOM_LINK1 | Triggered when suspicious use of file links is detected. |
| ANOM_LOGIN_ACCT1 | Triggered when an account login attempt ends abnormally. |
| ANOM_LOGIN_FAILURES1 | Triggered when the limit of failed login attempts is reached. |
| ANOM_LOGIN_LOCATION1 | Triggered when a login attempt is made from a forbidden location. |
| ANOM_LOGIN_SESSIONS1 | Triggered when a login attempt reaches the maximum amount of concurrent sessions. |
| ANOM_LOGIN_TIME1 | Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time. |
| ANOM_MAX_DAC1 | Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached. |
| ANOM_MAX_MAC1 | Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached. |
| ANOM_MK_EXEC1 | Triggered when a file is made executable. |
| ANOM_MOD_ACCT1 | Triggered when a user-space account modification ends abnormally. |
| ANOM_PROMISCUOUS1 | Triggered when a device enables or disables promiscuous mode. |
| ANOM_RBAC_FAIL1 | Triggered when a Role-Based Access Control (RBAC) self-test failure is detected. |
| ANOM_RBAC_INTEGRITY_FAIL1 | Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected. |
| ANOM_ROOT_TRANS1 | Triggered when a user becomes root. |
| AVC | Triggered to record an SELinux permission check. |
| AVC_PATH | Triggered to record the dentry and vfsmount pair when an SELinux permission check occurs. |
| BPRM_FCAPS | Triggered when a user executes a program with a file system capability. |
| CAPSET | Triggered to record the capabilities being set for process-based capabilities, for example, running as root to drop capabilities. |
| CHGRP_ID | Triggered when a user-space group ID is changed. |
| CHUSER_ID | Triggered when a user-space user ID is changed. |
| CONFIG_CHANGE | Triggered when the Audit system configuration is modified. |
| CRED_ACQ | Triggered when a user acquires user-space credentials. |
| CRED_DISP | Triggered when a user disposes of user-space credentials. |
| CRED_REFR | Triggered when a user refreshes their user-space credentials. |
| CRYPTO_FAILURE_USER | Triggered when a decrypt, encrypt, or randomize cryptographic operation fails. |
| CRYPTO_IKE_SA | Triggered when an Internet Key Exchange Security Association is established. |
| CRYPTO_IPSEC_SA | Triggered when an Internet Protocol Security Association is established. |
| CRYPTO_KEY_USER | Triggered to record the cryptographic key identifier used for cryptographic purposes. |
| CRYPTO_LOGIN | Triggered when a cryptographic officer login attempt is detected. |
| CRYPTO_LOGOUT | Triggered when a cryptographic officer logout attempt is detected. |
| CRYPTO_PARAM_CHANGE_USER | Triggered when a change in a cryptographic parameter is detected. |
| CRYPTO_REPLAY_USER | Triggered when a replay attack is detected. |
| CRYPTO_SESSION | Triggered to record parameters set during a TLS session establishment. |
| CRYPTO_TEST_USER | Triggered to record cryptographic test results as required by the FIPS-140 standard. |
| CWD | Triggered to record the current working directory. |
| DAC_CHECK | Triggered to record DAC check results. |
| DAEMON_ABORT | Triggered when a daemon is stopped due to an error. |
| DAEMON_ACCEPT | Triggered when the auditd daemon accepts a remote connection. |
| DAEMON_CLOSE | Triggered when the auditd daemon closes a remote connection. |
| DAEMON_CONFIG | Triggered when a daemon configuration change is detected. |
| DAEMON_END | Triggered when a daemon is successfully stopped. |
| DAEMON_ERR | Triggered when an auditd daemon internal error is detected. |
| DAEMON_RESUME | Triggered when the auditd daemon resumes logging. |
| DAEMON_ROTATE | Triggered when the auditd daemon rotates the Audit log files. |
| DAEMON_START | Triggered when the auditd daemon is started. |
| DEL_GROUP | Triggered when a user-space group is deleted |
| DEL_USER | Triggered when a user-space user is deleted |
| DEV_ALLOC | Triggered when a device is allocated. |
| DEV_DEALLOC | Triggered when a device is deallocated. |
| EOE | Triggered to record the end of a multi-record event. |
| EXECVE | Triggered to record arguments of the execve(2) system call. |
| FANOTIFY | Triggered when an fanotify access decision is made. |
| FD_PAIR | Triggered to record the use of the pipe and socketpair system calls. |
| FEATURE_CHANGE | Triggered when an Audit feature changed value. |
| FS_RELABEL | Triggered when a file system relabel operation is detected. |
| GRP_AUTH | Triggered when a group password is used to authenticate against a user-space group. |
| GRP_CHAUTHTOK | Triggered when a group account password or PIN is modified. |
| GRP_MGMT | Triggered to record user-space group account attribute modification. |
| INTEGRITY_DATA2 | Triggered to record a data integrity verification event run by the kernel. |
| INTEGRITY_EVM_XATTR2 | Triggered when an EVM-covered extended attribute is modified. |
| INTEGRITY_HASH2 | Triggered to record a hash type integrity verification event run by the kernel. |
| INTEGRITY_METADATA2 | Triggered to record a metadata integrity verification event run by the kernel. |
| INTEGRITY_PCR2 | Triggered to record Platform Configuration Register (PCR) invalidation messages. |
| INTEGRITY_RULE2 | Triggered to record a policy rule. |
| INTEGRITY_STATUS2 | Triggered to record the status of integrity verification. |
| IPC | Triggered to record information about a Inter-Process Communication object referenced by a system call. |
| IPC_SET_PERM | Triggered to record information about new values set by an IPC_SET control operation on an IPC object. |
| KERN_MODULE | Triggered to record a kernel module name on load or unload. |
| KERNEL | Triggered to record the initialization of the Audit system. |
| KERNEL_OTHER | Triggered to record information from third-party kernel modules. |
| LABEL_LEVEL_CHANGE | Triggered when an object’s level label is modified. |
| LABEL_OVERRIDE | Triggered when an administrator overrides an object’s level label. |
| LOGIN | Triggered to record relevant login information when a user log in to access the system. |
| MAC_CALIPSO_ADD | Triggered when a NetLabel CALIPSO DOI entry is added. |
| MAC_CALIPSO_DEL | Triggered when a NetLabel CALIPSO DOI entry is deleted. |
| MAC_CHECK | Triggered when a user space MAC (Mandatory Access Control) decision is made. |
| MAC_CIPSOV4_ADD | Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_CIPSOV4_DEL | Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_CONFIG_CHANGE | Triggered when an SELinux Boolean value is changed. |
| MAC_IPSEC_EVENT | Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes. |
| MAC_MAP_ADD | Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_MAP_DEL | Triggered when an existing LSM domain mapping is deleted. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_POLICY_LOAD | Triggered when a SELinux policy file is loaded. |
| MAC_STATUS | Triggered when the SELinux mode (enforcing, permissive, off) is changed. |
| MAC_UNLBL_ALLOW | Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_UNLBL_STCADD | Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel. |
| MAC_UNLBL_STCDEL | Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel. |
| MMAP | Triggered to record a file descriptor and flags of the mmap(2) system call. |
| MQ_GETSETATTR | Triggered to record the mq_getattr(3) and mq_setattr(3) message queue attributes. |
| MQ_NOTIFY | Triggered to record arguments of the mq_notify(3) system call. |
| MQ_OPEN | Triggered to record arguments of the mq_open(3) system call. |
| MQ_SENDRECV | Triggered to record arguments of the mq_send(3) and mq_receive(3) system calls. |
| NETFILTER_CFG | Triggered when Netfilter chain modifications are detected. |
| NETFILTER_PKT | Triggered to record packets traversing Netfilter chains. |
| OBJ_PID | Triggered to record information about a process to which a signal is sent. |
| PATH | Triggered to record file name path information. |
| PROCTITLE | Gives the full command-line that triggered this Audit event, triggered by a system call to the kernel. |
| RESP_ACCT_LOCK3 | Triggered when a user account is locked. |
| RESP_ACCT_LOCK_TIMED3 | Triggered when a user account is locked for a specified period of time. |
| RESP_ACCT_REMOTE3 | Triggered when a user account is locked from a remote session. |
| RESP_ACCT_UNLOCK_TIMED3 | Triggered when a user account is unlocked after a configured period of time. |
| RESP_ALERT3 | Triggered when an alert email is sent. |
| RESP_ANOMALY3 | Triggered when an anomaly was not acted upon. |
| RESP_EXEC3 | Triggered when an intrusion detection program responds to a threat originating from the execution of a program. |
| RESP_HALT3 | Triggered when the system is shut down. |
| RESP_KILL_PROC3 | Triggered when a process is terminated. |
| RESP_SEBOOL3 | Triggered when an SELinux Boolean value is set. |
| RESP_SINGLE3 | Triggered when the system is put into single-user mode. |
| RESP_TERM_ACCESS3 | Triggered when a session is terminated. |
| RESP_TERM_LOCK3 | Triggered when a terminal is locked. |
| ROLE_ASSIGN | Triggered when an administrator assigns a user to an SELinux role. |
| ROLE_MODIFY | Triggered when an administrator modifies an SELinux role. |
| ROLE_REMOVE | Triggered when an administrator removes a user from an SELinux role. |
| SECCOMP | Triggered when a SECure COMPuting event is detected. |
| SELINUX_ERR | Triggered when an internal SELinux error is detected. |
| SERVICE_START | Triggered when a service is started. |
| SERVICE_STOP | Triggered when a service is stopped. |
| SOCKADDR | Triggered to record a socket address. |
| SOCKETCALL | Triggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls). |
| SOFTWARE_UPDATE | Triggered to record software update events. |
| SYSCALL | Triggered to record a system call to the kernel. |
| SYSTEM_BOOT | Triggered when the system is booted up. |
| SYSTEM_RUNLEVEL | Triggered when the system’s run level is changed. |
| SYSTEM_SHUTDOWN | Triggered when the system is shut down. |
| TEST | Triggered to record the success value of a test message. |
| TIME_ADJNTPVAL | Triggered when the system clock is modified. |
| TIME_INJOFFSET | Triggered when a Timekeeping offset is injected to the sytem clock. |
| TRUSTED_APP | The record of this type can be used by third party application that require auditing. |
| TTY | Triggered when TTY input was sent to an administrative process. |
| USER_ACCT | Triggered when a user-space user authorization attempt is detected. |
| USER_AUTH | Triggered when a user-space user authentication attempt is detected. |
| USER_AVC | Triggered when a user-space AVC message is generated. |
| USER_CHAUTHTOK | Triggered when a user account password or PIN is modified. |
| USER_CMD | Triggered when a user-space shell command is executed. |
| USER_DEVICE | Triggered when a user-space hotplug device is changed. |
| USER_END | Triggered when a user-space session is terminated. |
| USER_ERR | Triggered when a user account state error is detected. |
| USER_LABELED_EXPORT | Triggered when an object is exported with an SELinux label. |
| USER_LOGIN | Triggered when a user logs in. |
| USER_LOGOUT | Triggered when a user logs out. |
| USER_MAC_POLICY_LOAD | Triggered when a user-space daemon loads an SELinux policy. |
| USER_MGMT | Triggered to record user-space user account attribute modification. |
| USER_ROLE_CHANGE | Triggered when a user’s SELinux role is changed. |
| USER_SELINUX_ERR | Triggered when a user-space SELinux error is detected. |
| USER_START | Triggered when a user-space session is started. |
| USER_TTY | Triggered when an explanatory message about TTY input to an administrative process is sent from user-space. |
| USER_UNLABELED_EXPORT | Triggered when an object is exported without SELinux label. |
| USYS_CONFIG | Triggered when a user-space system configuration change is detected. |
| VIRT_CONTROL | Triggered when a virtual machine is started, paused, or stopped. |
| VIRT_MACHINE_ID | Triggered to record the binding of a label to a virtual machine. |
| VIRT_RESOURCE | Triggered to record resource assignment of a virtual machine. |
Example:
Let’s see few scenarios with the above types:
Case 1:
Raw log:
Time= 4/28/24 16:41:07:000 PM node= anulinux type=ACCT_LOCK msg=audit(65432.657.987): pid=2341 uid=0 auid=3424567 ses=753456326 subj=system_u:system_r:passwd_t:s0 msg=`op=locked-password id=2000 exe=\”/usr/bin/passwd\” hostname=anulinux addr=? terminal=? res=success UID=\”root\” AUID=”anu”
Explanation:
ACCT_LOCK = Triggered when a user-space user account is locked by the administrator.
- In the above log, the event type observed as “ACCT_LOCK”, which states as the account “anu” is locked.
- The message observed as “locked-password”, which states as the account is locked due to password. The account might be locked for using incorrect/expired password while trying to login the linux account.
Case 2:
Raw log:
Time= 4/28/24 16:50:07:000 PM node= anulinux type=USER_CHAUTHTOK msg=audit(4353566765.645.7545): pid=1806 uid=0 auid=3424567 ses=7648 msg=`op=updating-password id=2001 exe=\”/usr/sbin/usermod\” hostname=anulinux addr=? terminal=? res=success UID=\”root\” AUID=”anu”
Explanation:
USER_CHAUTHTOK = Triggered when a user account password or PIN is modified.
- In the above log, the event type observed as “USER_CHAUTHTOK”, which states as the password/pin reset was done for the account “anu”. The message observed as “updating-password” and the result observed as “success”. So from the above log, could confirm that the password was updated for the account “anu”.
Case 3:
Raw log:
Time= 4/28/24 17:00:34:000 PM node= anulinux type= NETFILTER_CFG msg=audit(4353566765.645.7545): table=filter:54234 familiy=4 entries=3 op=nft_register_rule pid=1807 comm=\”iptables”\
Explanation:
NETFILTER_CFG = Triggered when Netfilter chain modifications are detected.
- What is Netfilter? It is a packet filter and firewall implemented in the standard Linux kernel. The user space iptables tool is used for configuration and it is just a command-line tool used to add or remove netfilter rules. It supports packet filtering (stateless or stateful), many kinds of network address and port translation (NAT/NAPT), and multiple API layers for third-party extensions.
- In the above log, the event type observed as “NETFILTER_CFG ”, which states that configuration changes was done on the firewall level for the host “anulinux”.
Case 4:
USER_AUTH = fail username= anu ipaddress =127.0.0.1
Explanation:
- When you see “USER_AUTH = fail” in the audit log, it means that someone attempted to authenticate (such as logging in) to the system, but the attempt was unsuccessful. Most of the times happens when SSH and SFTP brute force attempts to login to your server.
- Using the USER_AUTH will help analyst to see attacker brute force attempts are success or failure.
Conclusion:
With the above event types, it’s easy to identify the linux audit log events and to understand the scenario.
Ref: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types