An Interest In:
Web News this Week
- March 21, 2024
- March 20, 2024
- March 19, 2024
- March 18, 2024
- March 17, 2024
- March 16, 2024
- March 15, 2024
How to setup Auditd on Ubuntu
Original Article written here How to enable and configure Auditd on Ubuntu
Securing our microservice's backend infrastructure is very crucial nowadays, managing lots of endpoints, clusters[Database, workers] is not an easy task. In this post, I am sharing how we can use Auditd for auditing our cloud-native infrastructure.
Auditd is a very light but powerful tool for managing or we can say auditing Linux based systems using its native kernel feature called The Linux Auditing System(LAS). LAS effectily collects some useful system activities and save them in its own logs which helps security guys to better investigate any occured incident.
I will cover Auditd usecase in another part because for better naration, for now we will understand how we can install Auditd and configure.
Prerequisites
- Linux Ubuntu machine: Any version
- Internet for downloading stuff
- And finally, some basic Linux understanding
Install Auditd on Ubuntu Linux
Install Bash if not present, on you Ubuntu system.
sudo apt updatesudo apt install bash-completion
After these inital steps, now Install Auditd. This following command will install Auditd's latest version on your ubuntu system.
sudo apt-get install auditd
You can start and enable your auditd service so it will run up after system restart or reboot.
service status auditdauditd startauditd restart
Auditd is very light, so it will not take much effort. Now time to configure Auditd on Ubuntu system.
Configure Auditd on Ubuntu
By default, you can find auditd's config file here /etc/audit/auditd.conf
.
auditd_buffer_size: 32768auditd_fail_mode: 1auditd_maximum_rate: 60auditd_enable_flag: 1auditd_local_events: "yes"auditd_write_logs: "yes"auditd_log_file: /var/log/audit/audit.logauditd_log_group: rootauditd_log_format: RAWauditd_flush: incremental_asyncauditd_freq: 50auditd_max_log_file: 8auditd_num_logs: 5auditd_priority_boost: 4auditd_disp_qos: lossyauditd_dispatcher: /sbin/audispdauditd_name_format: noneauditd_max_log_file_action: rotateauditd_space_left: 75auditd_space_left_action: syslogauditd_verify_email: "yes"auditd_action_mail_acct: rootauditd_admin_space_left: 50auditd_admin_space_left_action: suspendauditd_disk_full_action: suspendauditd_disk_error_action: suspendauditd_use_libwrap: "yes"auditd_tcp_listen_queue: 5auditd_tcp_max_per_addr: 1auditd_tcp_client_max_idle: 0auditd_enable_krb5: "no"auditd_krb5_principal: auditdauditd_distribute_network: "no"auditd_manage_rules: yesauditd_default_arch: b64
In this above auditd.conf config file auditd_local_events: "yes"
entry is inportant, because it will define would auditd audit local system or not. So, change to no
or remove this part.
How To Write Custom System Audit Rules on Ubuntu
After all the configuration now time for write some rules for Auditd
For viewing current set of audit rules using auditctl -l
command.
sudo auditctl -l
For the first time it will show no rules
.
no rules
By default, auditd's rules are written here /etc/audit/rules.d/audit.rules
# This file contains the auditctl rules that are loaded# whenever the audit daemon is started via the initscripts.# The rules are simply the parameters that would be passed# to auditctl.# First rule - delete all-D# Increase the buffers to survive stress events.# Make this bigger for busy systems-b 320# Feel free to add below this line. See auditctl man page
Adding Audit Rules
For adding auditd rules, we can use cli util for that but for simplicity i am using direct method, but update our /etc/audit/rules.d/audit.rules
file.
Syntax for Auditd rulees
auditctl -w path_to_file -p permissions -k key_name
Original Link: https://dev.to/ajaykdl/how-to-setup-auditd-on-ubuntu-jfk
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To