Auditd

auditd
config
framework
examples
aulastlog
aulast
auvirt
aureport
real life example
more reading

auditd

from the man page

" auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file"

config

/etc/audit/auditd.conf - configuration file for audit daemon
/etc/audit/audit.rules - audit rules to be loaded at startup

Auditd is an extraordinarily powerful monitoring tool. As anyone who has ever looked at it can attest, usability is the primary weakness
In Centos is set to run by default

framework

The Auditd framework has several components:

Kernel:

audit: hooks into the kernel to capture events and deliver them to auditd

Binaries:

auditd: daemon to capture events and store them (log file)
auditctl: client tool to configure auditd
audispd: daemon to multiplex events
aureport: reporting tool which reads from log file (auditd.log)
ausearch: event viewer (auditd.log)
autrace: using audit component in kernel to trace binaries
aulast: similar to last, but instaed using audit framework
aulastlog: similar to lastlog, also using audit framework instead
ausyscall: map syscall ID and name
auvirt: displaying audit information regarding virtual machines

examples

ausearch -f /etc/passwd # will check when the specified file was last accessed
ausearch -f /etc/secret_directory #To check if a specific directory (e.g., /etc/secret_directory) has been accessed by anyone
aureport --start today # shows a summary of the audit from today
aureport -if audit.log.1 -ts 01/01/2014 -te 05/12/2014 # search through old logs...

aureport

from the man page

aureport - a tool that produces summary reports of audit daemon logs

aulastlog

a more primitive version of lastlog but uses the using audit framework (i.e the auditd daemon need to be running)
non root users cannot normally run aulastlog
lastlog data is kept in a database i.e /var/log/lastlog

aulast

similar to last but uses the audit framework (i.e the auditd daemon need to be running)

from than man page

The main difference that a user will notice is that aulast print events from oldest to newest, while last prints records from newest to oldest. Also, the audit system is not notified each time a tty or pty is allocated, so you may not see quite as many records indicating users and their tty’s.

auvirt

from the man page a program that shows data related to virtual machines

a more useful description The auvirt tool searches the audit log for records generated by libvirt to show a list of virtual machine sessions. It also looks at some other events such as host shutdowns, AVC denials related to guests, and anomaly events associated to QEMU processes.

with examples at http://www.ibm.com/developerworks/library/l-kvm-libvirt-audit/

real life example

While trying to work out who or what was deleting a file (/var/lock/cron.d)...

make sure auditd is started
auditctl -w /var/lock/cron.d -p war -k password-file

ausearch -f /var/lock/cron.d

more reading
http://linux-audit.com/tag/autrace/
http://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system.html
http://linux-audit.com/linux-audit-framework-using-aureport/