Wednesday, November 16, 2011

Linux Audit Quick Configuration

Linux audit allows logging, tracking any access to files, directories and any resources of systems.

To setup Linux audit on your system, proceed as below:

Step 1)            suppose you want to give access permission to specific user on specific folder. So first you create folder and then create user:
# mkdir /backup
# useradd -c "backup admin" -d /backup/bkpadm bkpadm
# passwd bkpadm

Step 2)            change group & ownership of folder:
# chmod 1750 /backup
# chmod bkpadm /backup

Step 3) copy configuration file:
# cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules

Step 4) edit audit.rules file and comment out the lines containing arch= which are not appropriate for your system’s architecture:
# vi /etc/audit/audit.rules

# Basic audit system parameters
-D
-b 8192
-f 1
-e 1

## Put your own watches after this point
-w /backup/bkpadm -p rwxa

The basic audit system parameters include a rule to delete any pre-existing rules (-D) to avoid clashes with the new rules, a rule that sets the number of outstanding audit buffers (-b), the failure flag (-f), and the enable flag (-e)

-b         depending on the audit load of your system, increase or decrease the number of outstanding audit buffers. If there are no more buffers left, the kernel checks the failure flag for action.

-f          the failure flag controls the kernel’s reaction to critical errors. Possible values are 0 (silent), 1 (printk, print a failure message), and 2 (panic, bring the system down—no clean shutdown and risk of data loss or corruption).

-e         if set to 1, this enables audit and audit contexts for system calls, set to 0, audit is disabled, this flag is used to enable or disable audit temporarily.

The –p flag enables permission filtering, above example has permission filtering turned on for read, write, execute and attribute change permissions.

Step 5) the default settings of auditd.conf file:

# vi /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

Step 6)            restart services:
# service auditd restart

Step 7)            Generate today’s report:
# ausearch -ts today