How to Configure System Accounting with auditd on Linux RHEl or CENTOS

-
​The audit service is provided for system auditing. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. In this post, i will share with you the basic steps to install and configure auditd on Linux CentOS 6.3.

The auditing requirements include :

a. Ensure Auditing is Configured to Collect Certain System Events
– Information on the Use of Print Command (unsuccessful and successful)
– Startup and Shutdown Events (unsuccessful and successful)

b. Ensure the auditing software can record the following for each audit event:
– Date and time of the event
– Userid that initiated the event
– Type of event
– Success or failure of the event
– For I&A events, the origin of the request (e.g., terminal ID)
– For events that introduce an object into a user's address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.

c. Ensure files are backed up no less than weekly onto a different system than the system being audited or backup media.

e. Ensure old logs are closed out and new audit logs are started daily

f. Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit rules.

g. Ensure that the audit data files have permissions of 640, or more restrictive.

1. To install the auditd service :

[root@centos63 ~]# yum install audit -y

2. To ensure that the auditd service star at boot:

[root@centos63 ~]# chkconfig auditd on

By default, auditd logs only SELinux denials, which are helpful for debugging SELinux and discovering intrusion attempts, and certain types of security events, such as modifications to user accounts (useradd, passwd, etc), login events, and calls to sudo. Data is stored in /var/log/audit/audit.log.

3. Configure the auditd :

[root@centos63 ~]# vim /etc/audit/auditd.conf  
#  # This file controls the configuration of the audit daemon  #    log_file = /var/log/audit/audit.log  log_format = RAW  log_group = root  priority_boost = 4  flush = INCREMENTAL  freq = 20  num_logs = 5  disp_qos = lossy  dispatcher = /sbin/audispd  name_format = NONE  ##name = mydomain  max_log_file = 6  max_log_file_action = ROTATE  space_left = 75  space_left_action = SYSLOG  action_mail_acct = root  admin_space_left = 50  admin_space_left_action = SUSPEND  disk_full_action = SUSPEND  disk_error_action = SUSPEND  ##tcp_listen_port =  tcp_listen_queue = 5  tcp_max_per_addr = 1  ##tcp_client_ports = 1024-65535  tcp_client_max_idle = 0  enable_krb5 = no  krb5_principal = auditd  ##krb5_key_file = /etc/audit/audit.key

4. Stop and Start the auditd service :

[root@centos63 ~]# /etc/init.d/auditd stop  Stopping auditd:                                           [  OK  ]  [root@centos63 ~]# /etc/init.d/auditd start  Starting auditd:                                           [  OK  ]

Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more