1

I recently set up auditd and enabled TTY logging so I could give someone non-root shell access and monitor what they're doing. (For what it's worth I gave them jailshell access, a cPanel feature that restricts their access to only their user directory.)

I had it set up correctly, and to test it I was running aureport --tty -i to see all user activity and ausearch -ul _username_ | aureport --tty -i to filter the activity of the new account (hereby named _username_, a pseudonym). On the _username_ account, I just ran some simple commands like cd and ls. I also compared this with cat /home/_username_/.bash_history. I was logging in every day to check for updates, and I'm certain that I kept seeing the same record of activity from _username_, the basic aforementioned commands. I know I saw this activity because I remember being confused that I didn't see it logged in aureport until after I logged out. I had to Google to find out that this was a limitation of non-root TTY logging. So it was definitely in the aureport a few days ago.

So today, I check again, and this time there is new activity for _username_. Some pretty innocuous-looking commands. Frankly, I was expecting the person with the account to have more activity. What is very disconcerting to me, however, is that there is no previous record of activity from _username_. My original test commands are no longer being reported by aureport.

Is it possible they got up to no good, somehow got root access, and erased their history from auditd, accidentally erasing the history of my test commands in the process? Are there any other explanations?

Dan
  • 113
  • 4
  • 1
    Your auditd might be configured to limit the size of your logs and older events may have been deleted automatically by the system ; check your auditd.conf and `man 5 auditd.conf` for options and settings – HBruijn May 10 '18 at 05:46
  • That seems to be it. Combination of `max_log_file` and `num_logs` caused the history of my test commands to be rotated out. Thanks for the pointer! – Dan May 10 '18 at 05:53

1 Answers1

3

To expand on my earlier comment:

Rather than abuse I expect that your log files reached either a maximum size or the events happend more than X time ago and the oldest entries were simply deleted by the system.

Most systems are configured with defaults that won't keep logs indefinitely and packagers typically include either a log rotate drop-in script (in /etc/logrotate.d) or if the service supports such a thing, age and/or size limits for logs in the daemon itself.

Auditd is of the second variety.

Check your auditd.conf for your current settings and man 5 auditd.conf for all supported options and defaults; such as the settings for max_log_file and num_logs that you found.

To answer the title of your question:

Can auditd logs be modified?

Yes: if you give people administrator level access they usually can modify your whole system. That is why it is best practice to duplicate log events to a secure remote logging server.

HBruijn
  • 77,029
  • 24
  • 135
  • 201