How to Configure System Accounting with auditd on Linux CentOS 6.3

command linuxThe audit service is provided for system auditing. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. In this post, i will share with you the basic steps to install and configure auditd on Linux CentOS 6.3.

The auditing requirements include :

a. Ensure Auditing is Configured to Collect Certain System Events
– Information on the Use of Print Command (unsuccessful and successful)
– Startup and Shutdown Events (unsuccessful and successful)

See also  How to Install and Configure Nagios NRPE

b. Ensure the auditing software can record the following for each audit event:
– Date and time of the event
– Userid that initiated the event
– Type of event
– Success or failure of the event
– For I&A events, the origin of the request (e.g., terminal ID)
– For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.

c. Ensure files are backed up no less than weekly onto a different system than the system being audited or backup media.

See also  How to Download Youtube Video on Android Smart Phone Using TubeMate

e. Ensure old logs are closed out and new audit logs are started daily

f. Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit rules.

g. Ensure that the audit data files have permissions of 640, or more restrictive.

1. To install the auditd service :

[root@centos63 ~]# yum install audit -y

2. To ensure that the auditd service star at boot:

[root@centos63 ~]# chkconfig auditd on

By default, auditd logs only SELinux denials, which are helpful for debugging SELinux and discovering intrusion attempts, and certain types of security events, such as modifications to user accounts (useradd, passwd, etc), login events, and calls to sudo. Data is stored in /var/log/audit/audit.log.

See also  How to Install Perl on Linux Fedora 16 server

3. Configure the auditd :

[root@centos63 ~]# vim /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

4. Stop and Start the auditd service :

[root@centos63 ~]# /etc/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root@centos63 ~]# /etc/init.d/auditd start
Starting auditd:                                           [  OK  ]

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7

This article will explain the steps to reset a lost root password or to reset forgotten root password on Linux RHEL 7 or CentOS 7. Basically, the steps will adding...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

2 Comments

  • Avatar for Reed Reed says:

    How you send audit files to a remote server.

  • Avatar for Bb Bb says:

    When I try to use auditd I get disabled. How can I enable it. I have centos 6.3 loaded with centmin.

    [root@lairsofthedragon ~]# service auditd restart
    Stopping auditd: [FAILED]
    The audit system is disabled
    The audit system is disabled
    Starting auditd: [FAILED]

Leave a Reply

Your email address will not be published. Required fields are marked *