DEV Community

Ajay K. Dhyani
Ajay K. Dhyani

Posted on • Updated on • Originally published at kubefront.com

How to setup and Install Auditd on Ubuntu

Securing our microservice's backend infrastructure is very crucial nowadays, managing lots of endpoints, clusters(Database, workers) is not an easy task. In this post, I am sharing how we can use Auditd for auditing our cloud-native infrastructure. We will take a look on how to install and configure Auditd on Ubuntu.

Auditd is a very light but powerful tool for managing or we can say auditing Linux-based systems using its native kernel feature called The Linux Auditing System(LAS). LAS effectively collects some useful system activities and saves them in its own logs which helps security guys to better investigate any occurred incident.

I will cover Auditd use case in another part because for better narration, for now, we will understand how we can install Auditd.

Prerequisites

  • Linux Ubuntu machine: Any version

  • Internet for downloading stuff

  • And finally, some basic Linux understanding

Install Auditd on Ubuntu Linux

Install Bash if not present, on your Ubuntu system.

sudo apt update
sudo apt install bash-completion
Enter fullscreen mode Exit fullscreen mode

After these initial steps, now Install Auditd. The following command will install Auditd's latest version on your ubuntu system.

sudo apt-get install auditd
Enter fullscreen mode Exit fullscreen mode

You can start and enable your auditd service so it will run up after system restart or reboot.


service status auditd

auditd start

auditd restart

Enter fullscreen mode Exit fullscreen mode

Auditd is very light, so it will not take much effort. Now time to configure Auditd on Ubuntu system.

Configure Auditd on Ubuntu

By default, you can find auditd's config file here /etc/audit/auditd.conf.

auditd_buffer_size: 32768
auditd_fail_mode: 1
aauditd_maximum_rate: 60
auditd_enable_flag: 1
auditd_local_events: "yes"
auditd_write_logs: "yes"
auditd_log_file: /var/log/audit/audit.log
auditd_log_group: root
auditd_log_format: RAW
auditd_flush: incremental_async
auditd_freq: 50
auditd_max_log_file: 8
auditd_num_logs: 5
auditd_priority_boost: 4
auditd_disp_qos: lossy
auditd_dispatcher: /sbin/audispd
auditd_name_format: none
auditd_max_log_file_action: rotate
auditd_space_left: 75
auditd_space_left_action: syslog
auditd_verify_email: "yes"
auditd_action_mail_acct: root
auditd_admin_space_left: 50
auditd_admin_space_left_action: suspend
auditd_disk_full_action: suspend
auditd_disk_error_action: suspend
auditd_use_libwrap: "yes"
auditd_tcp_listen_queue: 5
auditd_tcp_max_per_addr: 1
auditd_tcp_client_max_idle: 0
auditd_enable_krb5: "no"
auditd_krb5_principal: auditd
auditd_distribute_network: "no"
auditd_manage_rules: yes
auditd_default_arch: b64
Enter fullscreen mode Exit fullscreen mode

In this above auditd.conf config file auditd_local_events: "yes" entry is important, because it will define would auditd audit local system or not. So, change to no or remove this part.

How To Write Custom System Audit Rules on Ubuntu

After all the configuration now time to write some rules for Auditd

For viewing a current set of audit rules using auditctl -l command.

sudo auditctl -l
Enter fullscreen mode Exit fullscreen mode

For the first time, it will show no rules.

no rules
Enter fullscreen mode Exit fullscreen mode

By default, auditd's rules are written here /etc/audit/rules.d/audit.rules

#This file contains the auditctl rules that are loaded

# whenever the audit daemon is started via the init scripts.

# The rules are simply the parameters that would be passed

# to auditctl.

# First rule - delete all

-D

# Increase the buffers to survive stress events.

# Make this bigger for busy systems

-b 320

# Feel free to add below this line. See auditctl man page
Enter fullscreen mode Exit fullscreen mode

Adding Audit Rules

For adding auditd rules, we can use CLI util for that but for simplicity, I am using the direct method, but update our /etc/audit/rules.d/audit.rules file.

Syntax for Auditd rules

auditctl -w path_to_file -p permissions -k key_name
Enter fullscreen mode Exit fullscreen mode

Discussion (1)

Collapse
ajaykdl profile image
Ajay K. Dhyani Author