RHEL7: How to get started with the Audit system.

Share this link

Presentation of the Audit system

Linux Audit System

Configuration Procedure

By default the Audit system is installed:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64

The Audit system main configuration is stored in the /etc/audit/audit.conf file.

Audit rules are located in the /etc/audit/rules.d directory. As the Audit system activation brings a performance overhead, the default configuration doesn’t log anything:

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

To start auditing events, new rules as those coming with the STIG (Security Technical Implementation Guide) provided by the United States Department of Defense have to be activated:

# cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d/
# cp /usr/share/doc/audit*/rules/30-stig.rules /etc/audit/rules.d/
# rm /etc/audit/rules.d/audit.rules
# sed -i -e '95,+5 s/^/#/' 30-stig.rules

Note: The last instruction removes the numerous events triggered by the use of the chown & chmod commands.

# service auditd restart

Source: Suse.

journalctl _TRANSPORT=audit

Additional Resources

The official RedHat documentation about the Audit system is available through the RHEL 7 Security Guide.
You can also read this Introduction to the Audit system on RHEL 7 or How to enable and configure Auditd on CentOS 7.

Andrew Mallett wrote several tutorials about:

The Linux-audit.com website provides several tutorials to dive into the Audit system:

The Tecmint website also offers two tutorials about the Audit system:

Luc de Louw wrote an article about Auditing your systems for security compliance with OpenSCAP.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 3 minutes.
Check that you've got no SELinux policy violations.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...