Here’s how to install the program “auditd” and best security practice and recommended settings for system auditing.
1.Install the auditd
a. Verify if the package is installed or not, using the dpkg command
dpkg -s auditd audispd-plugins
b. If not installed, you will see something like “dpkg-query: package ‘auditd’ is not installed and no information is available”.
apt install auditd audispd-plugins
2. Enable the auditd
systemctl –now enable auditd
to verify, if enabled, use this command:
systemctl is-enabled auditd
3. Set the parameter on your bootloader to enable during bootup
on your /etc/default/grub, add the “audit=1″
Before:
GRUB_CMDLINE_LINUX=””
After:
GRUB_CMDLINE_LINUX=”audit=1″
To update the grub2 configuration, run this command:
update-grub
4. Configure auditd’s backlog limit
Default setting is 64 records, it is recommended to have 8192 or bigger. On your /etc/default/grub, add the:
Syntax:
audit_backlog_limit=<SIZE of BACKLOG>
GRUB_CMDLINE_LINUX=”audit_backlog_limit=8192″
To update the grub2 configuration, run this command:
update-grub
5. Configure to keep logs when reach max file size
Under the /etc/audit/auditd.conf, set the max log file action to keep logs.
max_log_file_action = keep_logs
6. Configure the log file size of auditd
Log will be rotated once it reaches the maximum size set in the config. The default size is 6MB and it is recommended to adjust to a bigger size if the system has free disk space.
Edit the file /etc/audit/auditd.conf, and set the max log file:
max_log_file = <XX MB>
7. Create some rules based on your requirements.
Here are some parameters that are recommended to use for more secure environment
Create the rules under the directory /etc/audit/rules.d/
a. Create time-change rules to make sure events are collected on correct date or time. Sample rule as follows:
Create the file /etc/audit/rules.d/time.rules with the following contents:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change
b. Create system-locale rules to record changes to network files or system calls
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/system-locale.rules with the following contents:
For 32-bit system:
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
For 64-bit system:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
c. Create identity rules to record user related information, e.g. username, passwords, group
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/identity.rules with the following contents:
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
d. Create login rules to record login and logout events.
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/logins.rules with the following contents:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
e. Create permission mode rules to monitor file attributes, ownership and permission changes
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/permissions.rules with the following contents:
For 32-bit system:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
For 64-bit system:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
f. Create file-change rules to monitor file renaming or deletion.
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/file-change.rules with the following contents:
For 32-bit system:
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
For 64-bit system:
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
g. Create scope rules to monitor scope changes particularly the /etc/sudoers file
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/scope.rules with the following contents:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
g. Create sudo rules to monitor the administrators with temporary elevated privileges
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/sudo.rules with the following contents:
For 32-bit system:
-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
For 64-bit system:
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
h. Create modules rules to monitor for any loading and unloading of kernel modules using the insmod,rmmod or modprobe commands.
Create the rules under the directory /etc/audit/rules.d/
Create the file /etc/audit/rules.d/modules.rules with the following contents:
For 32-bit system:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
For 64-bit system:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
Note: To take effect the changes, it needs reloading the config or system reboot
Options:
-l ( auditctl -l) –> List all rules 1 per line
-e [0,1,2] (audtictl -e) where:
0 = temporarily disable auditing
1= enable auditing
2 = lock the audit configuration
Sample:
tux@freelinux:~$ sudo auditctl -e 1 /etc/audit/rules.d/logins.rules
[sudo] password for tux:
parameter passed without an option given
If rule is activated, you can see from your /var/log/audit/audit.log file
type=USER_LOGIN msg=audit(1618394064.654:214583): pid=7256 uid=0 auid=1001 ses=55349 msg=’op=login id=1001 exe=”/usr/sbin/sshd” hostname=192.168.10.105 addr=192.168.10.105 terminal=/dev/pts/9 res=success’
