Linux audit log: dealing with audit.log file

Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file.

Aureport

The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.

Ausearch

To actually search in the audit log file, use the ausearch utility. With the -a parameter an event ID can be given, which is provided as one of the columns in the aureport output. To limit the amount of entries use the –start and/or –end parameters. When using an alternative file instead of the default /var/log/audit/audit.log, then use the –input parameter followed by the file name.

Permissions

By default the audit log is located in the /var/log/audit directory. Only root has access to this file. Since it is preferred to store this log file also on a central log host, the permissions of both the directory and log file should be adjusted to give the syslog user ID at least read access. Depending on the usage of the system the adm group could get access, or limit it to root only.

drwxr-x— 2 syslog adm          4096 Mar 21 05:33 audit

Remote logging

To remotely log the audit data to a central node, use the file monitor from rsyslog. Example configuration for /etc/rsyslog.conf:

# Added (load file monitor module)
$ModLoad imfile

# Added (at bottom of configuration)
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

local6.* @@logserver.cisofy.com:65432

Tip: Depending on the log server software used, make sure to strip out any unwanted columns. This helps in making the files accessible again for the aureport and ausearch utilities.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download