How to Configure System Accounting with auditd on Linux CentOS 6.3

command linuxThe audit service is provided for system auditing. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. In this post, i will share with you the basic steps to install and configure auditd on Linux CentOS 6.3.

The auditing requirements include :

a. Ensure Auditing is Configured to Collect Certain System Events
– Information on the Use of Print Command (unsuccessful and successful)
– Startup and Shutdown Events (unsuccessful and successful)

b. Ensure the auditing software can record the following for each audit event:
– Date and time of the event
– Userid that initiated the event
– Type of event
– Success or failure of the event
– For I&A events, the origin of the request (e.g., terminal ID)
– For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.

READ  How to Add Network Adapter Without Reboot on CentOS 6/RHEL 6

c. Ensure files are backed up no less than weekly onto a different system than the system being audited or backup media.

e. Ensure old logs are closed out and new audit logs are started daily

f. Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit rules.

g. Ensure that the audit data files have permissions of 640, or more restrictive.

1. To install the auditd service :

[root@centos63 ~]# yum install audit -y

2. To ensure that the auditd service star at boot:

[root@centos63 ~]# chkconfig auditd on

By default, auditd logs only SELinux denials, which are helpful for debugging SELinux and discovering intrusion attempts, and certain types of security events, such as modifications to user accounts (useradd, passwd, etc), login events, and calls to sudo. Data is stored in /var/log/audit/audit.log.

READ  Securing and Hardening Linux Dedicated Server

3. Configure the auditd :

[root@centos63 ~]# vim /etc/audit/auditd.conf
# This file controls the configuration of the audit daemon

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

4. Stop and Start the auditd service :

[root@centos63 ~]# /etc/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root@centos63 ~]# /etc/init.d/auditd start
Starting auditd:                                           [  OK  ]
  1. Reed
    January 17, 2014 at 1:56 am

    How you send audit files to a remote server.

  2. Bb
    November 23, 2016 at 6:05 am

    When I try to use auditd I get disabled. How can I enable it. I have centos 6.3 loaded with centmin.

    [root@lairsofthedragon ~]# service auditd restart
    Stopping auditd: [FAILED]
    The audit system is disabled
    The audit system is disabled
    Starting auditd: [FAILED]

Leave a Reply

Your email address will not be published. Required fields are marked *

A world leading hosting company that provides fully-managed innovative and secure solutions, suitable for hosting small to medium-sized websites

Built on the best available technologies combined with Google Cloud for strong redundancy and application availability. Backed by skilled experts to address web security threats, a devops team to create advanced custom security solutions, and 24/7 sysadmins to watch over the platform. This powerful, hands-on approach makes your sites faster, safer, and easier to manage. Starting from only $3.95/mo.


* up to 30 days money back guarantee