Auditd

Configuring and auditing Linux systems with Audit daemon

Guide for auditing Linux systems by using the audit daemon and related utilities. This powerful audit framework has many possibilities for auditing Linux.

Summary of Configuring and auditing Linux systems with Audit daemon

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing. Auditing goals By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include: Audit file access and modification See who changed a particular file Detect unauthorized changes Monitoring of system calls and functions Detect anomalies like crashing processes Set tripwires for intrusion detection purposes Record commands used by individual users Components The framework itself has several components:

Read the full article…

How are auditd and Lynis different?

While both being active in the area of Linux auditing, auditd and Lynis have a different goal. This article explains the differences between both tools.

Summary of How are auditd and Lynis different?

Differences between auditd and Lynis Recently I received the question what the difference is between auditd and Lynis. Both focus on auditing, that part is clear. For someone not familiar with both software tools, the technical differences may not directly be obvious. Time to write about that, for everyone that has the same question. Comparing functionality Let’s start with a quick introduction in both tools. Audit daemon Auditd is the daemon process in the Linux Audit Framework, written and maintained by Red Hat.

Read the full article…

Linux Audit Framework 101 – Basic Rules for Configuration

The Linux audit framework is a very powerful tool to monitor files, directories and system calls. It helps with troubleshooting, accounting and intrusion detection.

Summary of Linux Audit Framework 101 – Basic Rules for Configuration

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.

Read the full article…

Linux Audit Framework: using aureport

Guide regarding the aureport utility, including some aureport examples. Aureport helps with audit reports and is part of the Linux audit framework.

Summary of Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool. Aureport The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the -start parameter, together with a time interval (e.

Read the full article…

Linux audit: Log files in /var/log/audit

This article describes the purpose of the audit.log file in /var/log/audit and the relationship with the Linux audit framework.

Summary of Linux audit: Log files in /var/log/audit

By default the Linux audit framework logs all data in the /var/log/audit directory. Usually the related file is named audit.log and contains audit related information such as events. /var/log/audit/audit.log This file is the default log file for the Linux audit daemon. It has all related audit events and is configured using the configuration file of auditd (auditd.conf). # cat /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Usually there is no reason to alter this location, unless a different storage location is preferred.

Read the full article…

Tuning auditd: high-performance Linux Auditing

To achieve better performance with a auditd configuration, it needs to be tuned. See performance boosters like events exclusion, rule ordering, and more.

Summary of Tuning auditd: high-performance Linux Auditing

The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules. Performance tips Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after.

Read the full article…