For some time I have been writing an ansible playbook to provision a fresh CentOS7 installation with docker and the most secure setup possible.
On security regards initially I have just provisioned it with fail2ban, but reading one of the weekly mail lists I subscribe to I have learned about a tool called audit or auditd (these tend to be their names on the package managers, and the systemd service file is usually auditd.service).
It is a powerful tool that you can use to monitor specific files or directories for changes (or even reads), with a really amazing level of detail.
It also is quite flexible and provides cli tools that can give you reports, help with searching for specific events or even tracing a binary or PID for what it is doing.
auditctl: this is where you manage (CRUD) your rules.ausearch: search for events. Sometimes it can be better to pipe its output to aureport, which gives more human digestable information on the events.aureport: Gives human-readable reports of events on your system (e.g., failed login attempts).autrace : analize a process and view the files and system calls used by it.
Below I have written a small cheatsheet for each one of these tools:IMPORTANT: A list of linux syscalls can be obtained here: http://syscalls.kernelgrok.com/
$ sudo auditctl -s$ auditctl -l$ auditctl -D$ auditctl -d never,task$ auditctl -w /home/user/test_dir/ -k test_watch # args: -w [path-of-directory-to-monitor] -k [tag-to-this-rule-here]$ auditctl -W /home/user/test_dir -k test_watch$ auditctl -w /etc/passwd -p wa -k passwd_watch # args: -p [permissions to monitor - [r]ead, [w]rite, e[x]ecute, or [a]tributes. If you do not specify -p, even an ls on the file will trigger an event.$ sudo auditctl -a always,exit -S adjtimex,settimeofday -F dir=/etc -k time-change # args: -S [list_of_syscalls_here] -F dir=[dir_where_to_monitor_these_syscalls]$ sudo auditctl -a always,exit -S all -F pid=1005$ sudo auditctl -e 0$ sudo auditctl -e 1$ sudo auditctl -e 2. You need to reboot the server to be able to change the configuration again or stop the daemon.$ vim /etc/audit/rules.d/[choose-a-nice-name-here].rules
-D
-w /home/user/test_dir/ -k test_watch
-w /etc/passwd -p wa -k passwd_watch
$ ausearch -k test_watch # args: -k [tag-to-the-rule-you-want-here]$ ausearch -k test_watch | aureport -f -i$ sudo ausearch -a 27020$ aureport # A high "Number of failed authentications" here e.g. could mean someone trying to access this machine without permission$ aureport -au$ aureport -au | grep no$ aureport -u -i$ sudo aureport -x --summary$ sudo aureport --failed$ aureport -f -i$ aureport -f -i --summary$ ausearch -k test_watch | aureport -f -i$ sudo sudo autrace /bin/date. It will give you an event_id number. Then, you can search for it and get a more human-readable report. E.g.: $ sudo ausearch -p 27020 --raw | aureport -f -ihttps://www.linux.com/learn/customized-file-monitoring-auditd%20 https://www.linux.com/learn/linux-system-monitoring-and-more-auditd https://www.digitalocean.com/community/tutorials/how-to-use-the-linux-auditing-system-on-centos-7 https://www.digitalocean.com/community/tutorials/how-to-write-custom-system-audit-rules-on-centos-7