How to Configure System Accounting with auditd on Linux CentOS 6.3

command linuxThe audit service is provided for system auditing. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. In this post, i will share with you the basic steps to install and configure auditd on Linux CentOS 6.3.

The auditing requirements include :

a. Ensure Auditing is Configured to Collect Certain System Events
– Information on the Use of Print Command (unsuccessful and successful)
– Startup and Shutdown Events (unsuccessful and successful)

See also  How to a Add and Remove User Account on RHEL, CentOS, Oracle Linux

b. Ensure the auditing software can record the following for each audit event:
– Date and time of the event
– Userid that initiated the event
– Type of event
– Success or failure of the event
– For I&A events, the origin of the request (e.g., terminal ID)
– For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.

c. Ensure files are backed up no less than weekly onto a different system than the system being audited or backup media.

See also  How to Install CentOS 5.7 Server Part 1

e. Ensure old logs are closed out and new audit logs are started daily

f. Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit rules.

g. Ensure that the audit data files have permissions of 640, or more restrictive.

1. To install the auditd service :

[root@centos63 ~]# yum install audit -y

2. To ensure that the auditd service star at boot:

[root@centos63 ~]# chkconfig auditd on

By default, auditd logs only SELinux denials, which are helpful for debugging SELinux and discovering intrusion attempts, and certain types of security events, such as modifications to user accounts (useradd, passwd, etc), login events, and calls to sudo. Data is stored in /var/log/audit/audit.log.

See also  How to Fix "php53-common conflicts with php-common" on Linux

3. Configure the auditd :

[root@centos63 ~]# vim /etc/audit/auditd.conf
# This file controls the configuration of the audit daemon

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

4. Stop and Start the auditd service :

[root@centos63 ~]# /etc/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root@centos63 ~]# /etc/init.d/auditd start
Starting auditd:                                           [  OK  ]



  • Avatar Reed says:

    How you send audit files to a remote server.

  • Avatar Bb says:

    When I try to use auditd I get disabled. How can I enable it. I have centos 6.3 loaded with centmin.

    [root@lairsofthedragon ~]# service auditd restart
    Stopping auditd: [FAILED]
    The audit system is disabled
    The audit system is disabled
    Starting auditd: [FAILED]

Leave a Reply

Your email address will not be published. Required fields are marked *