Cyberithub

How To Define Audit Control rules in Rocky Linux 8 1

How To Define Audit Control rules in Rocky Linux 8

by
Advertisements

In this tutorial we will focus on defining audit control rules in Rocky Linux 8. Control rules are defined for controlling the settings and configuration of audit system itself instead of capturing any event logs. These rules are defined prior to writing the rules file. We use auditctl utility to interact with the audit system and control its configuration. As we know, There are 3 flavors of audit rules categorized that can be defined. They are:-

  • Control Rules
  • File System Rules
  • System call Rules

How To Define Audit Control rules in Rocky Linux 8

How To Define Audit Control rules in Rocky Linux 8

Also Read: How to Install and Configure Auditd Service in Rocky Linux 8

Audit rules can be set in 2 ways. They are

  • Using auditctl utility . Rules defined this way are not persistence across reboots
  • Adding rules in /etc/audit/rules.d/audit.rules file. Rules defined here are persistence across reboots.

Let’s now see some basic and important rules to configure audit system.

1. To view current set of audit rules

Use below command to view all currently applied rules. Since I have not configured any rule yet, output shows "No rules".

NOTE:

Please note that here I am using root user to run all the below commands. You can use any user with sudo access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to the User.
[root@cyberithub ~]# auditctl -l
No rules

 

2. To view current status of audit system

To check the existing configuration values, you need to use auditctl -s command as shown below. More about auditctl command.

[root@cyberithub ~]# auditctl -s
enabled 1
failure 1
pid 474
rate_limit 900
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked

 

3. To delete rules

It is useful when we want to apply fresh set of audit rules after deleting the existing ones. So to delete the existing rules, you need to use auditctl -D command as shown below.

[root@cyberithub ~]# auditctl -D
No rules

 

4. To change backlog_limit value

If you want to set backlog_limit then you need to use -b option. Here we are setting backlog_limit value to 7777 using auditctl -b 7777 command as shown below.

NOTE:

Please note that If backlog value is more than the backlog_limit value, an error will be raise.
[root@cyberithub ~]# auditctl -b 7777
enabled 1
failure 1
pid 11720
rate_limit 0
backlog_limit 7777
lost 9020
backlog 1

 

5. To set action when critical error is raised

Whenever an error is raised, we can use different actions to handle the error. Acceptable values are:-

0 -> silent

1 -> print failure message

2 -> trigger kernel panic

To set the value to 0, you need to run auditctl -f 0 command as shown below.

[root@cyberithub ~]# auditctl -f 0
enabled 1
failure 0
pid 11720
rate_limit 0
backlog_limit 7777
lost 9020
backlog 1

If we try to set any value other than 0,1 and 2, then we will get below error.

[root@cyberithub ~]# auditctl -f 45
Failure must be 0, 1, or 2 was 45

 

6. To Enable, Disable or Lock Audit System Configuration

To enable, disable or lock audit system configuration, the acceptable values are:-

0 -> to enable

1 -> to disable

2 -> to lock the configuration (becomes immutable configuration)

[root@cyberithub ~]# auditctl -e 2
enabled 2
failure 2
pid 11720
rate_limit 0
backlog_limit 7777
lost 9020
backlog 0

Be cautious while setting the value to ‘2’. It will lock the audit system’s configuration and refuse any new changes to it. This value is important when we are done writing the rules and don’t want any accidental changes to it. Try to set failure flag either 0 or 1.

[root@cyberithub ~]# auditctl -f 1
Error sending failure mode request (Operation not permitted)

To fix above problem, edit the rule in audit.rules file to remove the flag “-e 2" and reboot the server. It will resolve the issue. If we try to set any value other than 0,1 and 2, we will get below error.

[root@cyberithub ~]# auditctl -e 20
Enable must be 0, 1, or 2 was 20

 

7. To set rate limit on generated messages per second

If you want to set rate limit on generated messages then you need to use -r option. Here we are setting rate limit to 9 using auditctl -r 9 command as shown below.

NOTE:

Please note that rate limit value 0 indicates that no rate limit is set for generated messages.
[root@cyberithub ~]# auditctl -r 9
enabled 1
failure 1
pid 474
rate_limit 9
backlog_limit 8192
lost 0
backlog 0

 

8. More Info

If PID is 0 and enabled is 1, then auditd is enabled on the server but not running.

[root@cyberithub ~]# auditctl -s
enabled 1
failure 1
pid 0
rate_limit 0
backlog_limit 8192
lost 8977
backlog 0
loginuid_immutable 0 unlocked

If PID is non zero and enabled is 1, then auditd is enabled on the server and running.

[root@cyberithub ~]# auditctl -s
enabled 1
failure 1
pid 11720
rate_limit 0
backlog_limit 8192
lost 9020
backlog 0
loginuid_immutable 0 unlocked

Leave a Comment