Auditd Recommended Configuration on Ubuntu Linux for System Auditing

Here’s how to install the program “auditd” and best security practice and  recommended settings for system auditing.

1.Install the auditd

a. Verify if the package is installed or not, using the dpkg command

dpkg -s auditd audispd-plugins

b. If not installed, you will see something like “dpkg-query: package ‘auditd’ is not installed and no information is available”.

apt install auditd audispd-plugins

2. Enable the auditd

systemctl –now enable auditd

to verify, if enabled, use this command:

systemctl is-enabled auditd

3. Set the parameter on your bootloader to enable during bootup

on your /etc/default/grub, add the “audit=1″

Before:
GRUB_CMDLINE_LINUX=””

After:

GRUB_CMDLINE_LINUX=”audit=1″

To update the grub2 configuration, run this command:

update-grub

4. Configure auditd’s backlog limit

Default setting is 64 records, it is recommended to have 8192 or bigger. On your /etc/default/grub, add the:

Syntax:
audit_backlog_limit=<SIZE of BACKLOG>

GRUB_CMDLINE_LINUX=”audit_backlog_limit=8192″

To update the grub2 configuration, run this command:

update-grub

5.  Configure to keep logs when reach max file size

Under the /etc/audit/auditd.conf, set the max log file action to keep logs.

max_log_file_action = keep_logs

6.  Configure the log file size of auditd

Log will be rotated once it reaches the maximum size set in the config. The default size is 6MB and it is recommended to adjust to a bigger size if the system has free disk space.

Edit the file /etc/audit/auditd.conf, and set the max log file:

max_log_file = <XX MB>

7. Create some rules based on your requirements.

Here are some parameters that are recommended to use for more secure environment

Create the rules under the directory /etc/audit/rules.d/

a. Create time-change rules to make sure events are collected on correct date or time. Sample rule as follows:

Create the file /etc/audit/rules.d/time.rules with the following contents:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change

b. Create system-locale rules to record changes to network files or system calls

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/system-locale.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

For 64-bit system:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

c. Create identity rules to record user related information, e.g. username, passwords, group

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/identity.rules with the following contents:

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

d. Create login rules to record login and logout events.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/logins.rules with the following contents:

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

e. Create permission mode rules to monitor file attributes, ownership and permission changes

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/permissions.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod

For 64-bit system:

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod

f. Create file-change rules to monitor file renaming or deletion.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/file-change.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For 64-bit system:

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

g. Create scope rules to monitor scope changes particularly the /etc/sudoers file

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/scope.rules with the following contents:

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

g. Create sudo rules to monitor the administrators with temporary elevated privileges

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/sudo.rules with the following contents:

For 32-bit system:

-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions

For 64-bit system:

-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions

h. Create modules rules to monitor for any loading and unloading of kernel modules using the insmod,rmmod or modprobe commands.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/modules.rules with the following contents:

For 32-bit system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For 64-bit system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Note: To take effect the changes, it needs reloading the config or system reboot

Options:
-l ( auditctl -l) –> List all rules 1 per line
-e [0,1,2] (audtictl -e) where:
0 = temporarily disable auditing
1= enable auditing
2 = lock the audit configuration

Sample:

tux@freelinux:~$ sudo auditctl -e 1 /etc/audit/rules.d/logins.rules
[sudo] password for tux:
parameter passed without an option given

If rule is activated, you can see from your /var/log/audit/audit.log file

type=USER_LOGIN msg=audit(1618394064.654:214583): pid=7256 uid=0 auid=1001 ses=55349 msg=’op=login id=1001 exe=”/usr/sbin/sshd” hostname=192.168.10.105 addr=192.168.10.105 terminal=/dev/pts/9 res=success’

About the author

Free Linux

View all posts

Leave a Reply