How to enable Ubuntu auditd for system logging?

by aliya.yundt , in category: Security , a year ago

How to enable Ubuntu auditd for system logging?

Facebook Twitter LinkedIn Telegram Whatsapp

1 answer

Member

by johann , 8 months ago

@aliya.yundt 

To enable Ubuntu auditd for system logging, follow these steps:

  1. Install the auditd package if it is not already installed:
1
sudo apt-get install auditd


  1. Edit the auditd configuration file /etc/audit/auditd.conf and update or uncomment the following lines:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#
# This file contains the configuration information for the audit daemon.
#

# The audit queue limit (64k) could be increased in
# order to avoid losing audit records.
#
# audit_queue_size = 64

# Auditd will try to write and rotate logs to the directory specified
# here.  When audit files are rotated out, they are compressed by default.
# log_file = /var/log/audit/audit.log

# This field determines the maximum size of each audit log file.
# Maximum size is 1G.
# max_log_file = 1

# The num_logs parameter specifies the maximum number of rotated logs
# that will be kept by the audit daemon. Logs older than the total
# number specified by this parameter will be deleted.
# num_logs = 5

# Dump the system audit configuration, including rules, users,
# lists of auditable event types, and more, to the specified file.
# Dumping configuration can be useful for debugging, auditing and
# other reasons.
#
# dump_configure = no

# Enable auditd
#
enabled = yes

# Configure the audit dispatcher to send logs to syslog
#
# Use syslog for logging
#
# To avoid duplication, the dispatcher must be configured to direct
# log events to syslog, while the syslog daemon must be instructed not
# to log the messages again. Fill the following two options appropriately:
#
# 1. Set local6 as the facility and notice or info as the priority
# 2. Configure syslog so it doesn't write messages received on the local6
#    facility to any files
# 3. Restart syslog
# 
# By default, auditd will write events to /var/log/audit/audit.log
# and syslog will store messages to /var/log/messages. Edit
# /etc/syslog.conf to match your configuration.
#
# comment out the line below to send logs to syslog
# write_logs = yes

# makes kernel audit messages via netlink (such as what they represent) available
# to user space tools like auditctl. auditd will silently discard these messages
# unless the kernel audit backlog gets too big.
#
# The backlog is in pages; each page is 16k
#
# kernel backlog limit
# backlog_limit = 8192

# how to handle successful connects when -w/-F rules are specified
#
# how to generate connect rules when extended rules
# are requested by auditctl
#
# reject = connect !zyx
# # reject all
# reject = user root
# # reject if the user is root
# reject = /etc/hosts.deny
# # reject per /etc/hosts.deny
# reject = /etc/hosts deny
# # reject per /etc/hosts.deny
# But note that you must use one and only one of the above three rules.

…


  1. Restart the auditd service to apply the changes:
1
sudo service auditd restart


  1. Verify that the auditd service is now running:
1
sudo service auditd status


  1. Verify that the audit logs are being generated by checking the /var/log/audit/audit.log file. You can also use the ausearch command to search and filter audit logs. Example:
1
sudo ausearch -m USER_AUTH -ts today


That’s it! You have now enabled Ubuntu auditd for system logging.