Skip to main content

Overview

The System Auditing module provides comprehensive capabilities for auditing user behavior and system activities. It monitors command execution, tracks access to critical files, and provides detailed audit trails for security investigations and compliance requirements.

Key Features

User Behavior Monitoring

Track and audit user activities across your infrastructure:
  • Command Execution Monitoring: Track all commands executed by users
  • Login/Logout Tracking: Monitor user authentication events
  • Session Monitoring: Track user session activities and duration
  • Privilege Escalation: Detect and log privilege escalation attempts
  • User Actions: Audit file access, modifications, and deletions

File Access Auditing

Monitor access to critical system files and resources:
  • Critical File Access: Alert when sensitive files are accessed
  • Permission Changes: Track modifications to file permissions
  • Ownership Changes: Monitor changes to file ownership
  • Read/Write Operations: Log file read and write operations
  • Execution Tracking: Monitor execution of critical binaries

System Call Monitoring

Capture low-level system activities:
  • System Call Auditing: Monitor specific system calls
  • Process Tracking: Track process creation and termination
  • Network Activity: Audit network connections and communications
  • Resource Access: Monitor access to system resources

Data Sources

The System Auditing module utilizes:
  • Events Pattern: wazuh-events*
  • Event Type: events-system-activity
  • Audit Logs: System audit log integration (auditd, Windows Event Logs)

Audit Data Structure

System audit events include comprehensive activity information:
FieldDescription
timestampWhen the activity occurred
wazuh.agent.nameAgent that recorded the activity
user.nameUser who performed the action
process.nameProcess or command executed
process.argsCommand arguments
file.pathFile or resource accessed
event.actionType of action performed
event.outcomeSuccess or failure of the action
audit.keyAudit rule key identifier

Use Cases

Security Incident Investigation

Conduct thorough security investigations:
  1. Timeline Reconstruction: Build complete timeline of user activities
  2. Root Cause Analysis: Identify initial access and attack progression
  3. Lateral Movement Detection: Track attacker movement across systems
  4. Data Exfiltration: Identify unauthorized data access and transfer
  5. Evidence Collection: Gather audit evidence for investigations

Compliance Requirements

Meet regulatory audit and compliance mandates:

PCI DSS Requirements

  • 10.2: Implement automated audit trails for all system components
  • 10.3: Record audit trail entries for all users and system activities
  • 10.4: Synchronize all critical system clocks and times
  • 10.5: Secure audit trails from unauthorized modifications

HIPAA Requirements

  • Track access to electronic protected health information (ePHI)
  • Monitor privileged user activities
  • Log security incidents and outcomes
  • Maintain audit logs for required retention periods

SOX Compliance

  • Audit access to financial systems and data
  • Track changes to financial records
  • Monitor privileged access to critical systems
  • Maintain complete audit trails

GDPR Requirements

  • Log access to personal data
  • Track data processing activities
  • Monitor data transfers and sharing
  • Maintain audit records for accountability

Insider Threat Detection

Identify malicious or negligent insider activities:
  1. Unusual Access Patterns: Detect abnormal file or system access
  2. After-hours Activity: Monitor activities outside normal working hours
  3. Data Hoarding: Identify excessive data downloads or copies
  4. Privilege Abuse: Detect misuse of administrative privileges
  5. Policy Violations: Track violations of acceptable use policies

Operational Monitoring

Support IT operations and troubleshooting:
  • Change Tracking: Monitor system configuration changes
  • Performance Issues: Identify problematic commands or processes
  • Capacity Planning: Analyze system usage patterns
  • Troubleshooting: Review system activities during incidents

Privileged Access Management

Monitor and audit privileged user activities:
  1. Administrator Actions: Track all administrative commands
  2. Root/Admin Logins: Monitor privileged account usage
  3. Sudo Usage: Log privilege escalation attempts
  4. Service Accounts: Monitor service account activities
  5. Shared Accounts: Track usage of shared administrative accounts

Audit Rules Configuration

Linux (auditd) Integration

Define audit rules for specific activities: 
# Monitor file access
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes

# Monitor command execution
-a always,exit -F arch=b64 -S execve -k command_execution

# Monitor privilege escalation
-w /usr/bin/sudo -p x -k sudo_execution
-w /etc/sudoers -p wa -k sudoers_changes

# Monitor authentication
-w /var/log/auth.log -p wa -k auth_log

Windows Event Log Integration

Monitor Windows security events:
  • Event ID 4624: Successful account logon
  • Event ID 4625: Failed logon attempt
  • Event ID 4672: Special privileges assigned to new logon
  • Event ID 4688: New process creation
  • Event ID 4663: File or object access attempt
  • Event ID 4719: System audit policy change

Critical Files to Monitor

Linux Systems

/etc/passwd          # User account information
/etc/shadow          # Encrypted passwords
/etc/group           # Group definitions
/etc/sudoers         # Sudo configuration
/etc/ssh/sshd_config # SSH configuration
/var/log/auth.log    # Authentication logs
/etc/pam.d/          # PAM configuration

Windows Systems

C:\Windows\System32\config\SAM      # Security Account Manager
C:\Windows\System32\config\SECURITY # Security settings
HKLM\SOFTWARE\Microsoft\Windows     # Registry keys
C:\Windows\System32\drivers\etc\hosts # Hosts file

Integration with Other Modules

System Auditing works with other security modules:
  • File Integrity Monitoring: Correlate file changes with user actions
  • Threat Hunting: Investigate suspicious activities
  • Configuration Assessment: Verify audit configuration compliance
  • Malware Detection: Link malware activities to user actions
  • Vulnerability Detection: Track exploitation attempts

Alert Types

Critical Alerts

  • Unauthorized access to sensitive files
  • Privilege escalation attempts
  • Suspicious command execution by privileged users
  • After-hours access to critical systems
  • Mass file deletion or modification

High Severity Alerts

  • Failed authentication attempts
  • Access to restricted directories
  • Execution of dangerous commands
  • Audit log tampering attempts
  • Policy violation events

Medium Severity Alerts

  • Unusual user activity patterns
  • Access to monitored files
  • Command execution outside normal patterns
  • Configuration file access

Best Practices

  1. Define Clear Audit Policies: Document what activities should be audited and why
  2. Monitor Privileged Accounts: Focus on administrative and service accounts
  3. Protect Audit Logs: Secure audit logs from tampering and deletion
  4. Regular Review: Schedule regular reviews of audit logs
  5. Retention Policies: Maintain logs for required compliance periods
  6. Alert Tuning: Fine-tune alerts to reduce false positives
  7. Correlation: Correlate audit events with other security data
  8. Training: Train staff on proper audit log interpretation
  9. Automate Analysis: Use automated tools for log analysis
  10. Incident Response Integration: Incorporate audit data into IR processes

Performance Considerations

Audit Volume Management

  • Selective Auditing: Only audit necessary activities
  • Log Rotation: Implement proper log rotation policies
  • Storage Planning: Ensure adequate storage for audit logs
  • Network Bandwidth: Consider bandwidth for centralized logging

System Impact

  • Audit Rule Efficiency: Write efficient audit rules
  • Resource Monitoring: Monitor system resources during auditing
  • Batch Processing: Process logs in batches during off-peak hours
  • Index Optimization: Optimize indices for audit data

Audit Log Analysis

Search and Filtering

Efficiently search audit logs:
  • User-based Searches: Find all activities by specific users
  • Time-based Searches: Review activities during specific timeframes
  • Command Searches: Locate specific command executions
  • File Access Searches: Find access to specific files or directories
  • Event Type Filtering: Filter by audit event types

Correlation Analysis

Correlate audit events for deeper insights:
  1. Link related events from multiple systems
  2. Build activity timelines for investigations
  3. Identify patterns and anomalies
  4. Detect multi-stage attacks
  5. Support forensic analysis

Reporting

Generate comprehensive audit reports:

Compliance Reports

  • Audit coverage verification
  • Access control effectiveness
  • Privileged account usage
  • Policy violation summaries

Security Reports

  • Suspicious activity summaries
  • Failed access attempts
  • Privilege escalation events
  • Critical file access logs

Operational Reports

  • User activity summaries
  • System usage statistics
  • Command execution patterns
  • Resource access trends

Component Architecture

The System Auditing module leverages: 
// Integration with audit subsystems
Module: audit
  Title: System auditing
  AppId: system-auditing
  Description: Audit users behavior, monitoring command execution
               and alerting on access to critical files
Location in codebase: /plugins/main/common/wazuh-modules.ts

Log Sources

Linux

  • auditd logs
  • syslog
  • auth.log
  • sudo logs
  • PAM logs

Windows

  • Security Event Log
  • System Event Log
  • Application Event Log
  • PowerShell logs
  • Sysmon logs

macOS

  • BSM audit logs
  • system.log
  • secure.log
  • fslogger logs