Auditd

This roles installs auditd and activate it with 3 differents logging tags that are described bellow:

1. exec_metal_admin
2. exec_container_admin
3. exec_container_user

1. Logging Commands by Admins on the Host

-a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin

• -a always,exit: Always log on syscall exit.
• -F arch=b64: Specifies the 64-bit architecture (b64).
• -S execve: Monitors the execve syscall, capturing all program executions.
• -F auid>=10000 -F auid<=10999: Filters logs for admin accounts with auid (Audit User ID) in the specified range, typically representing admin users on the host.
• -k exec_metal_admin: Tags logs with the key exec_metal_admin for easier log filtering.

2. Logging Commands by Admins in Containers

-a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin

• Similar to the first rule but applied to container environments.
• The auid range (1010000 to 1010999) is intended for admin users within containers using ID mapping.

3. Logging Commands by Non-Admin Users in Containers

-a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user

• Captures commands by container user accounts with auid between 1012000 and 1012999.
• Uses the key exec_container_user to differentiate these logs from admin activities.

---

Noise Reduction Rules

The following rules exclude specific message types to reduce unnecessary log entries:

-a exclude,always -F msgtype=CRED_ACQ
-a exclude,always -F msgtype=CRED_DISP
-a exclude,always -F msgtype=CRED_REFR
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=PROCTITLE
-a exclude,always -F msgtype=SERVICE_START
-a exclude,always -F msgtype=SERVICE_STOP
-a exclude,always -F msgtype=SOCKADDR
-a exclude,always -F msgtype=USER_ACCT
-a exclude,always -F msgtype=USER_AUTH
-a exclude,always -F msgtype=USER_END
-a exclude,always -F msgtype=USER_START
-a exclude,always -F auid=4294967295

• -a exclude,always: Excludes specified message types from logs.
• msgtype=CRED_ACQ, CRED_DISP, CRED_REFR: Suppresses logs related to credential acquisition, disposal, and refresh.
• msgtype=CWD: Suppresses 'current working directory' logs.
• msgtype=PATH: Prevents detailed file path logs.
• msgtype=PROCTITLE: Avoids logging full commands with arguments.
• msgtype=SERVICE_START/STOP: Reduces noise by ignoring service start/stop events.
• msgtype=USER_START, USER_ACCT, USER_AUTH, USER_END: Filters out general user login/authentication events.
• msgtype=SOCKADDR: Omits network-related socket address logs.
• -F auid=4294967295: Excludes logs from system processes with an unset audit user ID.

---

Compliance and Validation

• Ensures all executed commands by admins and specific container users are logged.
• Provides clear user attribution through auid filtering, meeting ISO 27001 requirements.
• Noise reduction rules enhance the log signal-to-noise ratio, focusing on relevant events.

Log Shipping

Filebeat is used to send the logs to Elasticsearch for easy access via Kibana.

Auditd useful commands

Show current audit rules:

auditctl -l

Search logs by tags:

ausearch -k exec_metal_admin

Search by uid or uidnumber:

ausearch -ua adm-jgrauer