AuditD
Beginning with Cisco NX-OS Release 10.6(1)F, you can enable AuditD feature to monitor the commands that are executed in guest shell.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure audit log reporting on Cisco NX-OS devices.
This chapter contains the following sections:
Beginning with Cisco NX-OS Release 10.6(1)F, you can enable AuditD feature to monitor the commands that are executed in guest shell.
Following are the guidelines and limitations for AuditD:
This feature can be enabled only on platforms that have more than 16GB memory.
No SNMP Support is available for this feature.
Tetragon and AuditD features cannot be enabled together. Only one of them can be configured at a time.
AuditD rules are read-only rules and should not be modified.
On NX-OS Release10.6(1)F, syslog format for this feature is AUDIT-6-INFO.
This feature will monitor activities in guest-shell and supervisor only. Monitoring activities on LC or vHost are not supported.
Follow the steps to configure AuditD.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal |
Enters global configuration mode. |
Step 2 |
feature audit |
Enables AuditD feature. Use No form of this command to disable the feature. |
Step 3 |
audit monitor all |
Enables all the rules for AuditD including the rules for Guest Shell. You cannot configure this command if you have already configured audit monitor guest-shell . You need to disable audit monitor guest-shell before configuring this command. Use No form of this command to delete the configuration. |
Step 4 |
audit monitor guest-shell |
Enables rules to monitor guest-shell commands. You cannot configure this command if you have already configured audit monitor all . You need to disable audit monitor all before configuring this command. Use No form of this command to delete the configuration. |
Step 5 |
logging level audit 6 |
Enables AuditD logs print to syslog. By default, this configuration is disabled. Default logging level is 5. To enable syslog printing for AuditD, apply audit 6. This is an existing logging level configuration that helps streaming syslog to remote server. Use No form of this command to delete the configuration. Audit logs will be available on the switch in /nxos/tmp/auditd/audit.log . Maximum of 5 files each of 8MB can be created in /nxos/tmp/auditd/, and after that logs will get rotated. It is recommended to get the AuditD logs pushed to syslog server. |
Step 6 |
logging logfile messages 6 size 4194304 persistent threshold 0 |
Streams syslog. Set the logging level to 6. |
Following are the monitor rules for guest-shell:
-a always,exit -F arch=b64 -S execve -F dir=/isan/vdc_1/virtual-instance/guestshell+/rootfs -F key=gShell_Cmds
-a always,exit -F arch=b32 -S execve -F dir=/isan/vdc_1/virtual-instance/guestshell+/rootfs -F key=gShell_Cmds
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/crontab -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/cron.d -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/cron.daily -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/cron.hourly -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/cron.weekly -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/cron.monthly -p wa -k gShell_cron_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/bin/kmod -p wa -k gShell_modules_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/passwd -p wa -k gShell_passwd_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/shadow -p wa -k gShell_shadow_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/group -p wa -k gShell_group_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/sudoers -p wa -k gShell_sudoers_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/hosts -p wa -k gShell_hosts_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/etc/resolv.conf -p wa -k gShell_dns_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/var/volatile/log -p wa -k gShell_log_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/usr/bin -p wa -k gShell_usr_bin_changes
-w /isan/vdc_1/virtual-instance/guestshell+/rootfs/usr/sbin -p wa -k gShell_usr_sbin_changes
Following are the monitor rules for supervisor (default):
w /etc/crontab -p wa -k cron_changes
-w /etc/cron.d -p wa -k cron_changes
-w /etc/cron.daily -p wa -k cron_changes
-w /etc/cron.hourly -p wa -k cron_changes
-w /etc/cron.weekly -p wa -k cron_changes
-w /etc/cron.monthly -p wa -k cron_changes
-w /bin -p wa -k bin_changes
-w /sbin -p wa -k sbin_changes
-w /usr/bin -p wa -k usr_bin_changes
-w /usr/sbin -p wa -k usr_sbin_changes
-w /usr/bin/dockerd -p wa -k docker_daemon
-w /bin/kmod -p x -k modules_changes
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/resolv.conf -p wa -k dns_changes
-w /etc/localtime -p wa -k time_changes
-w /var/volatile/log/auth.log -p wa -k auth_logs
-w /var/volatile/log/sudo.log -p wa -k sudo_usage
-w /var/volatile/log/wtmp -p wa -k shutdown_reboot
-w /var/volatile/log -p wa -k log_changes
-w /logflash/log -p wa -k log_changes
-w /var/lib/docker -p wa -k docker_storage
-a always,exit -F arch=b64 -S execve -F path=/usr/bin/docker -F key=docker_commands
Use the following commands to see various configuration details about AuditD:
Command |
Purpose |
---|---|
show audit status |
Displays audit status. Example output:
|
show running-config audit [all] |
Displays the current running configuration for the AuditD feature. |
show logging level audit |
Displays default logging level and current logging level status. |
show tech-support auditd |
Displays the technical support output for AuditD. |