Pros and cons of using the Linux audit daemon

The audit daemon, or auditd, is a versatile and widely popular tool in the Linux development community. It’s part of the Linux auditing system that is supported by most Linux distributions. The audit daemon provides in-depth logs of processes. Here is an example of a log:

type=SYSCALL msg=audit(1623654476.149:5467642): arch=c000003e syscall=56 success=yes exit=115384 a0=1200011 a1=0 a2=0 a3=7f0f6a765b90 items=0 ppid=1 pid=1159 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm="postmaster" exe="/usr/pgsql-11/bin/postgres" subj=system_u:system_r:unconfined_service_t:s0 key="MyMonitor"

This record contains quite a lot of useful information:

• Syscall arguments for the process
• The identifier of the user that launched the process
• System time
• A full path to the process image

The easiest way to read such logs is by using the ausearch tool via commands like these:

auditctl -a always,exit -F arch=b32 -S exit,fork,execve,clone,vfork,exit_group -F key=MyMonitor

Where:

• -k filters by a key specified in rules
• --checkpoint specifies the checkpoint file; if the file is specified, the audit daemon generates only records that are newer than the previous checkpoint time

Let’s examine the pros and cons of using the audit daemon for process monitoring.

Key benefits of working with auditd are:

• Robust set of features. The Linux audit daemon provides you with log rotation, numerous tools for filtering and searching, the ability to adjust kernel and user mode buffer sizes, etc.
• No risks for the Linux kernel. Auditd works in user mode and doesn’t introduce any kernel mode hooks that may crash the target system. There is also no dependency on the constantly changing Linux kernel interface.
• Supported by most Linux distros. Operating systems from CentOS 6.1 with the 2.x kernel to the latest Ubuntu 22.04 support the Linux audit daemon.

When working with the audit daemon, be ready to face the following challenges:

• Kernel-related limitations. Since auditd works in user mode, it can’t track processes invoked in kernel mode. It also depends on CONFIG_AUDIT, CONFIG_AUDITSYSCALL, CONFIG_BSD_PROCESS_ACCT, and CONFIG_BSD_PROCESS_ACCT_V3 kernel options, which are enabled by default.
• Potentially inaccessible process image files. When auditd handles the process record, its image file can be inaccessible if a user or some program has deleted or moved the corresponding .exe file.
• Support for a single auditor. The Linux auditing system supports only one auditor, which is auditd by default. If someone installs their own auditor, it breaks auditd functionality.
• Possible rule conflicts. The Linux audit daemon installs new auditd rules, which can conflict with other solutions installed on the device or with administrator activity.

You can monitor processes in auditd using rules and syscalls.

Read the full article at the Apriorit blog and explore several popular ways to monitor Linux processes in user mode. As well as learn more about working with Linux audit daemon.