Audit or track system hostname change on Linux|Centos|RHEL|Ubuntu|Debian

On a Linux system, auditing a few system calls and some specific files, we can easily track who makes system hostname change. Refer to the solution section to know about required system calls needed to Audit or track system hostname change on Linux|Centos|RHEL|Ubuntu|Debian system.


Topic

  • How to audit system hostname change?
  • Audit hostname change on a Linux|Centos|RHEL|Ubuntu|Debian system
  • Track who changed system hostname
  • Linux audit track system hostname change


Solution


Following are the details about related system calls and files to be added in the audit rule.

  • sethostname()
  • setdomainname()
  • /etc/issue
  • /etc/issue.net
  • /etc/hosts
  • /etc/sysconfig/network

Execute the following commands to track hostname change run time without restarting auditd service.

auditctl -a exit,always -F arch=b32 -S sethostname -S setdomainname -k hostchange
auditctl -a exit,always -F arch=b64 -S sethostname -S setdomainname -k hostchange
auditctl -w /etc/issue -p wa -k hostchange
auditctl -w /etc/issue.net -p wa -k hostchange
auditctl -w /etc/hosts -p wa -k hostchange
auditctl -w /etc/sysconfig/network -p wa -k hostchange

Note
w –> Write
a –> Append

Make the above rules permanent by adding the following lines in /etc/audit/rules.d/audit.rules file.

#Track system hostname change
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k hostchange
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k hostchange
-w /etc/issue -p wa -k hostchange
-w /etc/issue.net -p wa -k hostchange
-w /etc/hosts -p wa -k hostchange
-w /etc/sysconfig/network -p wa -k hostchange

Restart auditd service and validate configuration.

# service auditd restart
# auditctl -l
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=hostchange
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=hostchange
-w /etc/issue -p wa -k hostchange
-w /etc/issue.net -p wa -k hostchange
-w /etc/hosts -p wa -k hostchange
-w /etc/sysconfig/network -p wa -k hostchange

Test

Wait for hostname change event to occur and then execute the following command to check hostname change.

# ausearch -k hostchange

time->Sun Sep 15 00:51:23 2019
type=PROCTITLE msg=audit(1568488883.835:236): proctitle=686F73746E616D650074656B66696B
type=SYSCALL msg=audit(1568488883.835:236): arch=c000003e syscall=170 success=yes exit=0 a0=b29010 a1=6 a2=6 a3=7ffc79f5de60 items=0 ppid=1591 pid=1909 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="hostname" exe="/usr/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="hostchange"

The above output notifies that root user executed hostname command to change system hostname.


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *