Salesforce

How to enable OS Auditing on Linux?

Printable View
« Go Back

Information

 
TitleHow to enable OS Auditing on Linux?
URL NameHow-to-enable-OS-Auditing-on-Linux
Article Number000175159
EnvironmentProduct: OpenEdge
Version: 11.7.5
OS: Linux
Other: OS Audit
Question/Problem Description
How to enable OS Auditing on Linux?
How OS Audit can help troubleshooting processes being killed?
Enabling OS Audit to look for processes being killed.
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
To enable OS Audit to look for processes being killed please follow the steps on Linux:

# yum install auditd
Enable the auditd service to start at boot and start it using the “service” command.

# systemctl enable auditd
# service start auditd

Configuring auditd rule to Monitor SYSCALL
Let’s create a rule to monitor the “kill” SYSCALL which can be used to find all the killing a process.
  1. ​​​​Add the below rule to the auditd rules configuration file /etc/audit/rules.d/audit.rules:
# vi /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S kill -k kill_rule
Note: “arch” is the CPU architecture of the syscall. If the system is 32 bit OS, then set it with “arch=b32”.
  1. Restart the auditd service for the new rule to be effective.
# service restart auditd
  1. Verify if the defined rules are active, using the “auditctl -l” command.
# auditctl -l
-a always,exit -F arch=b64 -S kill -F key=kill_rule

Verify: Check if the rule just created actually works or not by simply initiating a “sleep 500” process and kill it. This should generate an audit log with all the details like who killed the process (uid) with what program/command etc.
  1. Spawn a simple sleep process in background.
# sleep 600 &
  1. Check for the process ID of the sleep process and kill it.
# ps -ef | grep sleep
root 2089 1784 0 15:12 pts/0 00:00:00 sleep 600
# kill -9 2089
  1. Check for the audit log file /var/log/audit/audit.log for the kill audit logs. The log should look similar to shown below.
# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule"
type=OBJ_PID msg=audit(1529507591.700:304): opid=2089 oauid=1001 ouid=0 oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"
type=PROCTITLE msg=audit(1529507591.700:304): proctitle="-bash"
  1. Sometimes the audit log can be difficult to look for the logs we are interested in. The “ausearch” command can be also used with the key defined with the rule. For example:
# ausearch -k kill_rule
type=PROCTITLE msg=audit(1529507591.700:304): proctitle="-bash"
type=OBJ_PID msg=audit(1529507591.700:304): opid=2089 oauid=1001 ouid=0 oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"

type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule"
 
  1. In a test environment, start an OpenEdge process and then ues UNIX kill signals to kill it. 
Workaround
Notes
On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.
-a exit,always 
Here is an action and the list. Whenever OS exits a system call, the exit list will be used to determine if an audit event needs to be generated.
-F arch=b64 – The -F option is used to build a rule field. The b64 means that the computer is running with an x86_64 CPU. (Whether it’s Intel or AMD doesn’t matter.)
-S kill – The -S option specifies the system call that we want to monitor.
-k – This is a user-defined rule name.

References to Other Documentation:

Progress Article(s):

 Guidelines on the use of UNIX kill command to stop a process
 Events that could cause a process to terminate abnormally
​​​​​​​
Keyword Phrase
Last Modified Date11/20/2020 6:54 AM
Powered by