Presentation of the Audit system
By default the Audit system is installed:
# rpm -qa | grep audit audit-libs-2.6.5-3.el7_3.1.x86_64 audit-2.6.5-3.el7_3.1.x86_64
The Audit system main configuration is stored in the /etc/audit/audit.conf file.
Audit rules are located in the /etc/audit/rules.d directory. As the Audit system activation brings a performance overhead, the default configuration doesn’t log anything:
# First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320
To start auditing events, new rules as those coming with the STIG (Security Technical Implementation Guide) provided by the United States Department of Defense have to be activated:
# cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d/ # cp /usr/share/doc/audit*/rules/30-stig.rules /etc/audit/rules.d/ # rm /etc/audit/rules.d/audit.rules # sed -i -e '95,+5 s/^/#/' 30-stig.rules
Note: The last instruction removes the numerous events triggered by the use of the chown & chmod commands.
# service auditd restart
Andrew Mallett wrote several tutorials about:
- Introducing the Linux Audit system,
- Understanding the auditd.conf and Restarting the Audit Server,
- Creating Custom Audit Rules in CentOS 7.
The Linux-audit.com website provides several tutorials to dive into the Audit system:
- Configuring and auditing Linux systems with Audit daemon,
- Monitor file access by Linux processes,
- Tuning auditd: High Performance Linux Auditing,
- Linux Audit Framework 101 – Basic Rules for Configuration,
- Monitoring Linux File Access, Changes and Data Modifications,
- Linux audit – Log files in /var/log/audit,
- Central audit logging: Configuration and collecting of Linux audit events,
- Linux Audit Framework: using aureport,
- Linux audit log: dealing with audit.log file.
The Tecmint website also offers two tutorials about the Audit system: