```php Understanding Linux Audit Logs: A Detailed Breakdown

Understanding Linux Audit Logs

Linux Audit logs (often inside /var/log/audit/audit.log) provide critical information about various events on a system - enabling administrators to track activities, identify issues, and ensure security compliance. The log entries are categorized by event types specified in the type= field at the beginning of each record.

These logs can be very useful, but also very useless depending on who you ask. They are noisy and log a lot of details, so unless you have some type of filtering and you know what to look for, you will end up on the "useless" category. However, if you take the time to understand them, they can fall into the "usefull" category very easily.



Audit Log Format

Audit logs in Linux follow a specific format to ensure that all necessary information is recorded in a consistent manner. A typical audit log entry looks like this:

node=hostname1 type=USER_ACCT msg=audit(1476133081.102:283): user pid=9179 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" (hostname=?, addr=?, terminal=cron res=success)'


Here's a breakdown of each part of the log means:



Node
node=hostname1: The node field indicates the hostname of the machine where the event occurred. In this example, the event happened on a machine named "hostname1". It is not always there and the log can jusr start with the next field.



Type
type=USER_ACCT: The type field specifies the type of event being recorded. Here, USER_ACCT indicates a user account-related event.



Message
msg=audit(1476133081.102:283): The msg field provides a timestamp and a unique identifier for the event. The format is audit(epoch_time:serial_number). In this example:

  • 1476133081.102 is the epoch time, representing the precise time of the event.
  • 283 is the unique serial number for this specific event.



User
user pid=9179 uid=0 auid=4294967295 ses=4294967295: This part includes information about the user and process associated with the event:

  • pid=9179: The process ID of the event.
  • uid=0: The user ID of the user who triggered the event.
  • auid=4294967295: The audit user ID, which is the original login ID of the user.
  • ses=4294967295: The session ID, indicating the user's login session.



Detailed Message
msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" (hostname=?, addr=?, terminal=cron res=success)': This part provides a detailed description of the event:

  • op=PAM:accounting: The operation performed, here it is related to PAM (Pluggable Authentication Module) accounting.
  • acct="root": The account name involved in the event.
  • exe="/usr/sbin/cron": The executable that was running when the event occurred.
  • (hostname=?, addr=?, terminal=cron res=success): Additional context such as hostname, address, terminal, and the result of the operation.



Audit log categories

Below is a summary of all currently-supported types of audit records, and what they mean.

User and Group Management

  • ADD_GROUP: Triggered when a new user-space group is added. Useful for tracking group changes.
  • type=ADD_GROUP msg=audit(1624300800.123:100): pid=1234 uid=0 auid=1000 ses=2 msg='op=add-group id=1001 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=pts/0 res=success'
  • ADD_USER: Triggered when a new user-space user account is added. Helps in monitoring new user account creation.
  • type=ADD_USER msg=audit(1624300800.123:101): pid=1234 uid=0 auid=1000 ses=2 msg='op=add-user id=1001 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
  • DEL_GROUP: Triggered when a user-space group is deleted. Useful for tracking group deletions.
  • type=DEL_GROUP msg=audit(1624300800.123:102): pid=1234 uid=0 auid=1000 ses=2 msg='op=delete-group id=1001 exe="/usr/sbin/groupdel" hostname=? addr=? terminal=pts/0 res=success'
  • DEL_USER: Triggered when a user-space user account is deleted. Important for monitoring the removal of user accounts.
  • type=DEL_USER msg=audit(1624300800.123:103): pid=1234 uid=0 auid=1000 ses=2 msg='op=delete-user id=1001 exe="/usr/sbin/userdel" hostname=? addr=? terminal=pts/0 res=success'
  • CHGRP_ID: Triggered when a user-space group ID is changed. Tracks changes to group IDs.
  • type=CHGRP_ID msg=audit(1624300800.123:104): pid=1234 uid=0 auid=1000 ses=2 msg='op=chggrp-id old-id=1001 new-id=1002 exe="/usr/bin/usermod" hostname=? addr=? terminal=pts/0 res=success'
  • CHUSER_ID: Triggered when a user-space user ID is changed. Tracks changes to user IDs.
  • type=CHUSER_ID msg=audit(1624300800.123:105): pid=1234 uid=0 auid=1000 ses=2 msg='op=chguser-id old-id=1001 new-id=1002 exe="/usr/bin/usermod" hostname=? addr=? terminal=pts/0 res=success'


Anomaly Detection

Events marked with [a] indicate anomalies:
  • ANOM_ABEND: Triggered when a process ends abnormally (with a signal that could cause a core dump, if enabled). Useful for detecting abnormal process terminations.
  • type=ANOM_ABEND msg=audit(1624300800.123:106): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=abend signal=11 comm="example-process" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_ACCESS_FS: Triggered when file or directory access ends abnormally. Tracks suspicious file access attempts.
  • type=ANOM_ACCESS_FS msg=audit(1624300800.123:107): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=access-fs file="/etc/passwd" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_ADD_ACCT: Triggered when a user-space account addition ends abnormally. Monitors failed account additions.
  • type=ANOM_ADD_ACCT msg=audit(1624300800.123:108): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=add-acct user="example" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_AMTU_FAIL: Triggered when an AMTU failure is detected. Useful for monitoring system integrity checks.
  • type=ANOM_AMTU_FAIL msg=audit(1624300800.123:109): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=amtu-fail test="amtu-test" exe="/usr/sbin/amtu" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_CRYPTO_FAIL: Triggered when a failure in the cryptographic system is detected. Crucial for tracking cryptographic failures.
  • type=ANOM_CRYPTO_FAIL msg=audit(1624300800.123:110): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=crypto-fail operation="encrypt" exe="/usr/bin/crypto" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_DEL_ACCT: Triggered when a user-space account deletion ends abnormally. Tracks failed account deletions.
  • type=ANOM_DEL_ACCT msg=audit(1624300800.123:111): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=del-acct user="example" exe="/usr/sbin/userdel" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_EXEC: Triggered when file execution ends abnormally. Monitors execution failures.
  • type=ANOM_EXEC msg=audit(1624300800.123:112): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=exec file="/usr/bin/example" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_LOGIN_ACCT: Triggered when an account login attempt ends abnormally. Important for tracking failed logins.
  • type=ANOM_LOGIN_ACCT msg=audit(1624300800.123:113): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=login-acct user="example" exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_LOGIN_FAILURES: Triggered when the limit of failed login attempts is reached. Detects possible brute-force attacks.
  • type=ANOM_LOGIN_FAILURES msg=audit(1624300800.123:114): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=login-failures user="example" exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_LOGIN_LOCATION: Triggered when a login attempt is made from a forbidden location. Monitors suspicious login attempts.
  • type=ANOM_LOGIN_LOCATION msg=audit(1624300800.123:115): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=login-location user="example" exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_LOGIN_SESSIONS: Triggered when login attempts reach the maximum concurrent sessions. Useful for detecting session-based anomalies.
  • type=ANOM_LOGIN_SESSIONS msg=audit(1624300800.123:116): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=login-sessions user="example" exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_LOGIN_TIME: Triggered when a login attempt is made at a disallowed time. Tracks time-based login restrictions.
  • type=ANOM_LOGIN_TIME msg=audit(1624300800.123:117): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=login-time user="example" exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_MAX_DAC: Triggered when the maximum number of DAC failures is reached. Monitors access control issues.
  • type=ANOM_MAX_DAC msg=audit(1624300800.123:118): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=max-dac failures=10 exe="/usr/sbin/daemon" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_MAX_MAC: Triggered when the maximum number of MAC failures is reached. Tracks mandatory access control issues.
  • type=ANOM_MAX_MAC msg=audit(1624300800.123:119): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=max-mac failures=5 exe="/usr/sbin/daemon" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_MK_EXEC: Triggered when a file is made executable. Monitors changes in file execution permissions.
  • type=ANOM_MK_EXEC msg=audit(1624300800.123:120): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=mk-exec file="/usr/bin/example" exe="/usr/bin/chmod" hostname=? addr=? terminal=pts/0 res=success'
  • ANOM_MOD_ACCT: Triggered when a user-space account modification ends abnormally. Tracks failed account modifications.
  • type=ANOM_MOD_ACCT msg=audit(1624300800.123:121): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=mod-acct user="example" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_PROMISCUOUS: Triggered when a device enables or disables promiscuous mode. Detects network interface changes.
  • type=ANOM_PROMISCUOUS msg=audit(1624300800.123:122): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=promiscuous device="eth0" exe="/usr/sbin/ifconfig" hostname=? addr=? terminal=pts/0 res=success'
  • ANOM_RBAC_FAIL: Triggered when an RBAC self-test failure is detected. Monitors role-based access control issues.
  • type=ANOM_RBAC_FAIL msg=audit(1624300800.123:123): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=rbac-fail test="self-test" exe="/usr/sbin/rbac-tool" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_RBAC_INTEGRITY_FAIL: Triggered when an RBAC file integrity test failure is detected. Tracks integrity failures.
  • type=ANOM_RBAC_INTEGRITY_FAIL msg=audit(1624300800.123:124): pid=1234 uid=0 auid=1000 ses=2 msg='anomaly=rbac-integrity-fail file="/etc/rbac.conf" exe="/usr/sbin/rbac-tool" hostname=? addr=? terminal=pts/0 res=failed'
  • ANOM_ROOT_TRANS: Triggered when a user becomes root. Monitors privilege escalation.
  • type=ANOM_ROOT_TRANS msg=audit(1624300800.123:125): pid=1234 uid=1000 auid=1000 ses=2 msg='anomaly=root-trans user="example" exe="/usr/bin/su" hostname=? addr=? terminal=pts/0 res=success'


SELinux and Access Control

  • AVC: Records an SELinux permission check. Essential for monitoring SELinux operations.
  • type=AVC msg=audit(1624300800.123:126): pid=1234 uid=0 auid=1000 ses=2 msg='avc: denied { write } for pid=1234 comm="example" name="file" dev="sda1" ino=123456 scontext=system_u:system_r:example_t tcontext=system_u:object_r:example_t tclass=file'
  • AVC_PATH: Records the dentry and vfsmount pair when an SELinux permission check occurs. Provides detailed SELinux audit information.
  • type=AVC_PATH msg=audit(1624300800.123:127): pid=1234 uid=0 auid=1000 ses=2 msg='avc: denied { read } for pid=1234 comm="example" name="file" dev="sda1" ino=123456 scontext=system_u:system_r:example_t tcontext=system_u:object_r:example_t tclass=file'
  • ROLE_ASSIGN: Triggered when an administrator assigns a user to an SELinux role. Tracks role assignments.
  • type=ROLE_ASSIGN msg=audit(1624300800.123:128): pid=1234 uid=0 auid=1000 ses=2 msg='op=role-assign role="example_role" user="example" exe="/usr/sbin/semanage" hostname=? addr=? terminal=pts/0 res=success'
  • ROLE_MODIFY: Triggered when an administrator modifies an SELinux role. Monitors changes to roles.
  • type=ROLE_MODIFY msg=audit(1624300800.123:129): pid=1234 uid=0 auid=1000 ses=2 msg='op=role-modify role="example_role" exe="/usr/sbin/semanage" hostname=? addr=? terminal=pts/0 res=success'
  • ROLE_REMOVE: Triggered when an administrator removes a user from an SELinux role. Tracks role removals.
  • type=ROLE_REMOVE msg=audit(1624300800.123:130): pid=1234 uid=0 auid=1000 ses=2 msg='op=role-remove role="example_role" user="example" exe="/usr/sbin/semanage" hostname=? addr=? terminal=pts/0 res=success'
  • SELINUX_ERR: Triggered when an internal SELinux error is detected. Important for diagnosing SELinux issues.
  • type=SELINUX_ERR msg=audit(1624300800.123:131): pid=1234 uid=0 auid=1000 ses=2 msg='selinux error: error_number=28 comm="example" exe="/usr/sbin/example" hostname=? addr=? terminal=pts/0 res=failed'


Authentication and Credentials

  • CRED_ACQ: Triggered when a user acquires user-space credentials. Useful for tracking credential acquisitions.
  • type=CRED_ACQ msg=audit(1624300800.123:132): pid=1234 uid=0 auid=1000 ses=2 msg='op=cred-acq id=1000 exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRED_DISP: Triggered when a user disposes of user-space credentials. Monitors credential disposals.
  • type=CRED_DISP msg=audit(1624300800.123:133): pid=1234 uid=0 auid=1000 ses=2 msg='op=cred-disp id=1000 exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRED_REFR: Triggered when a user refreshes their user-space credentials. Tracks credential refreshes.
  • type=CRED_REFR msg=audit(1624300800.123:134): pid=1234 uid=0 auid=1000 ses=2 msg='op=cred-refr id=1000 exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • USER_AUTH: Triggered when a user-space authentication attempt is detected. Important for monitoring authentication attempts.
  • type=USER_AUTH msg=audit(1624300800.123:135): pid=1234 uid=0 auid=1000 ses=2 msg='op=user-auth user="example" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • USER_LOGIN: Triggered when a user logs in. Monitors login events.
  • type=USER_LOGIN msg=audit(1624300800.123:136): pid=1234 uid=0 auid=1000 ses=2 msg='op=user-login user="example" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • USER_LOGOUT: Triggered when a user logs out. Tracks logout events.
  • type=USER_LOGOUT msg=audit(1624300800.123:137): pid=1234 uid=0 auid=1000 ses=2 msg='op=user-logout user="example" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • USER_ACCT: Triggered when a user-space user account is modified. Useful for monitoring account modifications.
  • type=USER_ACCT msg=audit(1624300800.123:138): pid=1234 uid=0 auid=1000 ses=2 msg='op=user-acct user="example" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • LOGIN: Records login attempts, both successful and unsuccessful.
  • type=LOGIN msg=audit(1624300800.123:125): pid=1234 uid=0 auid=1000 ses=2 msg='op=login id=1000 exe="/usr/sbin/login" hostname=? addr=? terminal=pts/0 res=success'


Cryptographic Events

  • CRYPTO_FAILURE_USER: Triggered when a cryptographic operation fails. Essential for tracking cryptographic issues.
  • type=CRYPTO_FAILURE_USER msg=audit(1624300800.123:139): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-failure-user exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • CRYPTO_KEY_USER: Records the cryptographic key identifier used. Monitors key usage.
  • type=CRYPTO_KEY_USER msg=audit(1624300800.123:140): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-key-user key="key123" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRYPTO_LOGIN: Triggered when a cryptographic officer login attempt is detected. Tracks cryptographic officer logins.
  • type=CRYPTO_LOGIN msg=audit(1624300800.123:141): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-login user="officer" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRYPTO_LOGOUT: Triggered when a cryptographic officer logout attempt is detected. Monitors logouts.
  • type=CRYPTO_LOGOUT msg=audit(1624300800.123:142): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-logout user="officer" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRYPTO_PARAM_CHANGE_USER: Triggered when a cryptographic parameter changes. Tracks cryptographic parameter modifications.
  • type=CRYPTO_PARAM_CHANGE_USER msg=audit(1624300800.123:143): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-param-change-user param="param123" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRYPTO_REPLAY_USER: Triggered when a replay attack is detected. Important for detecting cryptographic attacks.
  • type=CRYPTO_REPLAY_USER msg=audit(1624300800.123:144): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-replay-user attack="replay" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • CRYPTO_SESSION: Records parameters set during a TLS session establishment. Monitors TLS session parameters.
  • type=CRYPTO_SESSION msg=audit(1624300800.123:145): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-session id="session123" param="param123" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'
  • CRYPTO_TEST_USER: Records cryptographic test results. Essential for ensuring cryptographic system integrity.
  • type=CRYPTO_TEST_USER msg=audit(1624300800.123:146): pid=1234 uid=0 auid=1000 ses=2 msg='op=crypto-test-user test="test123" exe="/usr/bin/example" hostname=? addr=? terminal=pts/0 res=success'


System and Daemon Events

  • DAEMON_ABORT: Triggered when a daemon is stopped due to an error. Monitors daemon issues.
  • type=DAEMON_ABORT msg=audit(1624300800.123:147): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-abort exe="/usr/sbin/example" hostname=? addr=? terminal=pts/0 res=failed'
  • DAEMON_ACCEPT: Triggered when the auditd daemon accepts a remote connection. Tracks remote connections.
  • type=DAEMON_ACCEPT msg=audit(1624300800.123:148): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-accept remote_addr="192.168.0.1" exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_CLOSE: Triggered when the auditd daemon closes a remote connection. Monitors connection closures.
  • type=DAEMON_CLOSE msg=audit(1624300800.123:149): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-close remote_addr="192.168.0.1" exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_CONFIG: Triggered when a daemon configuration change is detected. Tracks configuration changes.
  • type=DAEMON_CONFIG msg=audit(1624300800.123:150): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-config file="/etc/audit/auditd.conf" exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_END: Triggered when a daemon is successfully stopped. Monitors daemon stoppages.
  • type=DAEMON_END msg=audit(1624300800.123:151): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-end exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_RESUME: Triggered when the auditd daemon resumes logging. Tracks logging resumption.
  • type=DAEMON_RESUME msg=audit(1624300800.123:152): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-resume exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_RESTART: Triggered when a daemon is restarted. Monitors daemon restarts.
  • type=DAEMON_RESTART msg=audit(1624300800.123:153): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-restart exe="/usr/sbin/example" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_ROTATE: Triggered when a daemon log file is rotated. Tracks log file rotations.
  • type=DAEMON_ROTATE msg=audit(1624300800.123:154): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-rotate file="/var/log/audit/audit.log" exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_START: Triggered when a daemon is started. Monitors daemon startups.
  • type=DAEMON_START msg=audit(1624300800.123:155): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-start exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'
  • DAEMON_STOP: Triggered when a daemon stops. Tracks daemon stoppages.
  • type=DAEMON_STOP msg=audit(1624300800.123:156): pid=1234 uid=0 auid=1000 ses=2 msg='op=daemon-stop exe="/usr/sbin/auditd" hostname=? addr=? terminal=pts/0 res=success'



Understanding and analyzing these audit logs can significantly enhance your ability to maintain system security and compliance. Tools like Trunc can automatically parse and help you understand audit logs, making it easier to monitor, manage, and act on the information contained within these logs.





Posted in   audit   logging     by trunc_team

Simple, affordable, log management and analysis.

14 days free trial. No credit card required. Get started
```