Install the Linux Audit System

Provides instructions for installing the Linux Audit System.

About this task

EFA is based on the Ubuntu operating system, which by default, does not come with auditd (Linux Audit System) installed. Perform the instructions that follow to install it in EFA. During the installation process, auditd is enabled by default via systemctl and starts writing audit trail log data to the file /var/log/audit/audit.log.

To install, run the following command:

# apt-get install auditd
This is example output:
type=DAEMON_START msg=audit(1591152521.117:3494): op=start ver=2.8.2 format=raw kernel=5.3.0-53-generic auid=4294967295 pid=27162 uid=0 ses=4294967295 subj=unconfined  res=success
type=CONFIG_CHANGE msg=audit(1591152521.153:23): op=set audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1591152521.157:24): op=set audit_failure=1 old=1 auid=4294967295 ses=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1591152521.157:25): op=set audit_backlog_wait_time=0 old=15000 auid=4294967295 ses=4294967295 res=1
type=SERVICE_START msg=audit(1591152521.157:26): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=auditd comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

You can produce more interesting data from the audit.log file when you authenticate to the EFA host. In this case, the audit trail data for the user ‘extreme‘ authenticating via SSH is displayed:

type=USER_LOGIN msg=audit(1591975761.779:39): pid=7894 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="extreme" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.12 terminal=sshd res=failed'
type=USER_AUTH msg=audit(1591975763.219:40): pid=7894 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="extreme" exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=ssh res=success'
type=USER_ACCT msg=audit(1591975763.219:41): pid=7894 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="extreme" exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1591975763.223:42): pid=7894 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="extreme" exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=ssh res=success'
type=LOGIN msg=audit(1591975763.223:43): pid=7894 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=127 res=1
type=USER_START msg=audit(1591975764.487:44): pid=7894 uid=0 auid=1000 ses=127 msg='op=PAM:session_open acct="extreme" exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1591975764.491:45): pid=8113 uid=0 auid=1000 ses=127 msg='op=PAM:setcred acct="extreme" exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1591975764.547:46): pid=7894 uid=0 auid=1000 ses=127 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.10.12 addr=192.168.10.12 terminal=/dev/pts/1 res=success'

Further, when the ‘extreme‘ user authenticates to the ‘efa‘ command line with efa login, the following audit trail message is generated (in case of success):

type=USER_AUTH msg=audit(1591975780.823:47): pid=21139 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="extreme" exe="/apps/bin/hostauth" hostname=? addr=? terminal=? res=success'

And here is the output in case of failures:

type=USER_AUTH msg=audit(1591976323.760:58): pid=21139 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="extreme" exe="/apps/bin/hostauth" hostname=? addr=? terminal=? res=failed'