How to enable Ubuntu auditd for system logging?
How to enable Ubuntu auditd for system logging?
1 answer
by
johann ,
a year ago
@aliya.yundt
To enable Ubuntu auditd for system logging, follow these steps:
- Install the auditd package if it is not already installed:
1
|
sudo apt-get install auditd |
- Edit the auditd configuration file /etc/audit/auditd.conf and update or uncomment the following lines:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
# # This file contains the configuration information for the audit daemon. # # The audit queue limit (64k) could be increased in # order to avoid losing audit records. # # audit_queue_size = 64 # Auditd will try to write and rotate logs to the directory specified # here. When audit files are rotated out, they are compressed by default. # log_file = /var/log/audit/audit.log # This field determines the maximum size of each audit log file. # Maximum size is 1G. # max_log_file = 1 # The num_logs parameter specifies the maximum number of rotated logs # that will be kept by the audit daemon. Logs older than the total # number specified by this parameter will be deleted. # num_logs = 5 # Dump the system audit configuration, including rules, users, # lists of auditable event types, and more, to the specified file. # Dumping configuration can be useful for debugging, auditing and # other reasons. # # dump_configure = no # Enable auditd # enabled = yes # Configure the audit dispatcher to send logs to syslog # # Use syslog for logging # # To avoid duplication, the dispatcher must be configured to direct # log events to syslog, while the syslog daemon must be instructed not # to log the messages again. Fill the following two options appropriately: # # 1. Set local6 as the facility and notice or info as the priority # 2. Configure syslog so it doesn't write messages received on the local6 # facility to any files # 3. Restart syslog # # By default, auditd will write events to /var/log/audit/audit.log # and syslog will store messages to /var/log/messages. Edit # /etc/syslog.conf to match your configuration. # # comment out the line below to send logs to syslog # write_logs = yes # makes kernel audit messages via netlink (such as what they represent) available # to user space tools like auditctl. auditd will silently discard these messages # unless the kernel audit backlog gets too big. # # The backlog is in pages; each page is 16k # # kernel backlog limit # backlog_limit = 8192 # how to handle successful connects when -w/-F rules are specified # # how to generate connect rules when extended rules # are requested by auditctl # # reject = connect !zyx # # reject all # reject = user root # # reject if the user is root # reject = /etc/hosts.deny # # reject per /etc/hosts.deny # reject = /etc/hosts deny # # reject per /etc/hosts.deny # But note that you must use one and only one of the above three rules. … |
- Restart the auditd service to apply the changes:
1
|
sudo service auditd restart |
- Verify that the auditd service is now running:
1
|
sudo service auditd status |
- Verify that the audit logs are being generated by checking the /var/log/audit/audit.log file. You can also use the ausearch command to search and filter audit logs. Example:
1
|
sudo ausearch -m USER_AUTH -ts today |
That’s it! You have now enabled Ubuntu auditd for system logging.