The audit service is provided for system auditing. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. In this post, i will share with you the basic steps to install and configure auditd on Linux CentOS 6.3.
The auditing requirements include :
a. Ensure Auditing is Configured to Collect Certain System Events
– Information on the Use of Print Command (unsuccessful and successful)
– Startup and Shutdown Events (unsuccessful and successful)
b. Ensure the auditing software can record the following for each audit event:
– Date and time of the event
– Userid that initiated the event
– Type of event
– Success or failure of the event
– For I&A events, the origin of the request (e.g., terminal ID)
– For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
c. Ensure files are backed up no less than weekly onto a different system than the system being audited or backup media.
e. Ensure old logs are closed out and new audit logs are started daily
f. Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit rules.
g. Ensure that the audit data files have permissions of 640, or more restrictive.
1. To install the auditd service :
[[email protected] ~]# yum install audit -y
2. To ensure that the auditd service star at boot:
[[email protected] ~]# chkconfig auditd on
By default, auditd logs only SELinux denials, which are helpful for debugging SELinux and discovering intrusion attempts, and certain types of security events, such as modifications to user accounts (useradd, passwd, etc), login events, and calls to sudo. Data is stored in /var/log/audit/audit.log.
3. Configure the auditd :
[[email protected] ~]# vim /etc/audit/auditd.conf
# # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key
4. Stop and Start the auditd service :
[[email protected] ~]# /etc/init.d/auditd stop Stopping auditd: [ OK ] [[email protected] ~]# /etc/init.d/auditd start Starting auditd: [ OK ]