RHEL7: How to get started with the Audit system.

Presentation of the Audit system

Configuration Procedure

By default the Audit system is installed:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64

The Audit system main configuration is stored in the /etc/audit/audit.conf file.

Audit rules are located in the /etc/audit/rules.d directory. As the Audit system activation brings a performance overhead, the default configuration doesn’t log anything:

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

To start auditing events, new rules as those coming with the STIG (Security Technical Implementation Guide) provided by the United States Department of Defense have to be activated:

# cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d/
# cp /usr/share/doc/audit*/rules/30-stig.rules /etc/audit/rules.d/
# rm /etc/audit/rules.d/audit.rules
# sed -i -e '95,+5 s/^/#/' 30-stig.rules

Note: The last instruction removes the numerous events triggered by the use of the chown & chmod commands.

# service auditd restart

Source: Suse.

journalctl _TRANSPORT=audit

Additional Resources

The official RedHat documentation about the Audit system is available through the RHEL 7 Security Guide.
You can also read this Introduction to the Audit system on RHEL 7 or How to enable and configure Auditd on CentOS 7.

Andrew Mallett wrote several tutorials about:

• Introducing the Linux Audit system,
• Understanding the auditd.conf and Restarting the Audit Server,
• Creating Custom Audit Rules in CentOS 7.

The Linux-audit.com website provides several tutorials to dive into the Audit system:

• Configuring and auditing Linux systems with Audit daemon,
• Monitor file access by Linux processes,
• Tuning auditd: High Performance Linux Auditing,
• Linux Audit Framework 101 – Basic Rules for Configuration,
• Monitoring Linux File Access, Changes and Data Modifications,
• Linux audit – Log files in /var/log/audit,
• Central audit logging: Configuration and collecting of Linux audit events,
• Linux Audit Framework: using aureport,
• Linux audit log: dealing with audit.log file.

The Tecmint website also offers two tutorials about the Audit system:

• How to Query Audit Logs Using ‘ausearch’ Tool on CentOS/RHEL,
• Learn Linux System Auditing with Auditd Tool on CentOS/RHEL.

Luc de Louw wrote an article about Auditing your systems for security compliance with OpenSCAP.