RHEL6: Composing Custom Auditd Rules for Fun and Profit

297247-typewriterAuditd gives you the ability to write your own custom audit rules. This functionality allows an administrator to keep a close eye on system calls, file access, and user behavior. This added functionality is especially useful in environments that are requred to adhear to compliance standards that are above and beyond normal standards. Think PCI.

Once of the simplest rules to add is a watch rule which can be set on files and directories. In the example below we are watching the /etc/passwd file for permission changes (writes and attibute changes specifically). We are creating a custom key to use for organizational purposes.

[root@ip-172-31-21-28 ~]# auditctl -w /etc/passwd -p wa -k edit_watch

Here is a cool one – lets audit all binary executions under /usr/bin.

[root@ip-172-31-21-28 ~]# auditctl -w /usr/bin -p x

Using the -l option you can list your current audit rules, and using the -s option you can see the current status of the auditd subsystem

[root@ip-172-31-21-28 ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=edit_watch
LIST_RULES: exit,always dir=/usr/bin (0x8) perm=x

[root@ip-172-31-21-28 ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=741 rate_limit=0 backlog_limit=320 lost=0 backlog=0

Want to get down and dirty with audit rules – you can check out the audit rules man page by running the command below.

[root@ip-172-31-21-28 ~]# man audit.rules




Related articles

RHEL6 – SELinux Troubleshooting II: Electric Boogaloo
Linux audit files to see who made changes to a file
A Brief Introduction to auditd

How to Configure Alerting on TouchDown for Android

18-android-phones-coming I have had a Blackberry attached to my hip for longer than I care to remember (before that it was a motorolla pager, yick). As a systems administrator, email alerting from exchange has been a functionality that I must have working without too many issues or too much hassle. Missing an alert email to 4 am is just not an option.

However the call of an real smart phone was just too much for me and I decided to get rid of my blackberry and get the HTC G2, after talking to several folks who use TouchDown for connecting to Exchange. More about touchdown here.

Installing TouchDown from the Android Marketplace is simple as can be and the initial configuration via ActiveSync is also pretty easy and well documented so i will not go into that here.

So onto Custom Alerting…

My alerting rules are actually pretty simple.

  1. No alerts of any kind on standard emails
  2. Alerts on emails from certain individuals
  3. Alerts on email to our on-call email address

To setup your custom alerts, navigate to the Advancedtab under settings and make sure that “Notify on new mail” is selected.

Then scroll to the bottom of the page click on Email Alertsand select No notifications(I know, this did not make sense to me at first either). Then click on Manage Rulesand add a rule with the “New Rule…” button.

Pick a name for your rule such as “Oncall Email”  and set the Message Rule Type” to Contains String/Email Address. Select Search Toand enter the email address in the Search String“. For example, you might enter “alerts@mycompany.com”.

Then clickCustom Notification” and select Custom settings”. Here you configure sounds, lights, and vibrations for your custom alerts. I usually check “Play Sound” and “Custom Sound” and “Nag until cancelled”. At the very bottom you can select the specific sound to play…make sure its particularly annoying. Make sure to save and test your new custom alerting rule.

Setting up and email alert for emails from certain individuals is also pretty much the same as above, except you will select “Search from” when setting up the search string. Remember to use full email addresses, and not just names.

There might be an easier way to do this, but my setup works without issues, unless OWA is down and that’s another issue entirely.