Linux audit log: dealing with audit.log file

Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file.

Aureport

The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.

Ausearch

To actually search in the audit log file, use the ausearch utility. With the -a parameter an event ID can be given, which is provided as one of the columns in the aureport output. To limit the amount of entries use the –start and/or –end parameters. When using an alternative file instead of the default /var/log/audit/audit.log, then use the –input parameter followed by the file name.

Permissions

By default the audit log is located in the /var/log/audit directory. Only root has access to this file. Since it is preferred to store this log file also on a central log host, the permissions of both the directory and log file should be adjusted to give the syslog user ID at least read access. Depending on the usage of the system the adm group could get access, or limit it to root only.

drwxr-x— 2 syslog adm          4096 Mar 21 05:33 audit

Remote logging

To remotely log the audit data to a central node, use the file monitor from rsyslog. Example configuration for /etc/rsyslog.conf:

# Added (load file monitor module)
$ModLoad imfile

# Added (at bottom of configuration)
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

local6.* @@logserver.cisofy.com:65432

Tip: Depending on the log server software used, make sure to strip out any unwanted columns. This helps in making the files accessible again for the aureport and ausearch utilities.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)