In this article, I will take you through the steps to install and configure Auditd service in Rocky Linux 8. Linux audit is a great way to make sure that our system is more secure by providing us different analysis on what is happening in our system in depth detail. We write different audit rules to secure our system and to keep eyes on the services and system call that are being executed and interacted within our system. In this tutorial we will mostly focus on Installing and configuring audit package on Rocky Linux.
How to Install and Configure Auditd Service in Rocky Linux 8
There are mostly 2 ways to write audit rules which we will cover in upcoming tutorial. They are:
auditctlutility (non-persistence rules). More about auditctl utility.
/etc/audit/rules.d/audit.rulesfile (persistence rules).
Audit configuration file and all other related information can be found on below path.
[root@cyberithub ~]# cd /etc/audit/rules.d [root@cyberithub rules.d]# ll total 4 -rw-r-----. 1 root root 81 Jul 21 2020 audit.rules
In same same directory we can find a
‘audit.rules’ file which has default rules defined.
[root@localhost rules.d]# cat audit.rules ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1
Let’s first Install the Audit Package by using
yum install audit command as shown below.
[root@cyberithub audit]# yum install audit Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.funet.fi * centos-qemu-ev: ftp.funet.fi * epel: www.nic.funet.fi * extras: ftp.funet.fi * updates: ftp.funet.fi Resolving Dependencies --> Running transaction check ---> Package audit.x86_64 0:2.8.5-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================== Installing: audit x86_64 2.8.5-4.el7 base 256 k Transaction Summary ======================================================================================================================================================== Install 1 Package Total download size: 256 k Installed size: 645 k Is this ok [y/d/N]: y Downloading packages: audit-2.8.5-4.el7.x86_64.rpm | 256 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : audit-2.8.5-4.el7.x86_64 1/1 Verifying : audit-2.8.5-4.el7.x86_64 1/1 Installed: audit.x86_64 0:2.8.5-4.el7 Complete!
Verify if the package is installed successfully by using rpm -qa | grep audit command as shown below.
[root@cyberithub audit]# rpm -qa | grep audit audit-libs-2.8.5-4.el7.x86_64 audit-2.8.5-4.el7.x86_64 audit-libs-python-2.8.5-4.el7.x86_64
Configuring the Audit Service
Audit service can be configured by modifying the configuration file present at
/etc/audit/auditd.conf which is configured with default values. To start the audit service, use below command.
[root@cyberithub audit]# service auditd start
To check the status of auditd daemon, use below command.
[root@cyberithub audit]# systemctl status auditd auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2022-01-20 21:18:32 IST; 6s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 12427 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 12422 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 12423 (auditd) CGroup: /system.slice/auditd.service └─12423 /sbin/auditd Jan 20 21:18:32 cyberithub augenrules: lost 201 Jan 20 21:18:32 cyberithub augenrules: backlog 1 Jan 20 21:18:32 cyberithub augenrules: enabled 1 Jan 20 21:18:32 cyberithub augenrules: failure 1 Jan 20 21:18:32 cyberithub augenrules: pid 12423 Jan 20 21:18:32 cyberithub augenrules: rate_limit 0 Jan 20 21:18:32 cyberithub augenrules: backlog_limit 8192 Jan 20 21:18:32 cyberithub augenrules: lost 201 Jan 20 21:18:32 cyberithub augenrules: backlog 1 Jan 20 21:18:32 cyberithub systemd: Started Security Auditing Service.
One important point to note here that service command is the only way to interact with auditd daemon. You can use systemctl command only for two actions:
status. So if you try to use it let's say for stopping the audit service then you might end up with below error.
[root@cyberithub audit]# systemctl stop auditd Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop). See system logs and 'systemctl status auditd.service' for details.
So to solve the above error you can either restart or even stop and start the audit daemon by service command as shown below.
[root@cyberithub audit]# service auditd stop Stopping logging: [ OK ] [root@cyberithub audit]# service auditd start Redirecting to /bin/systemctl start auditd.service
To restart the auditd daemon, you need to use service auditd restart command as shown below.
[root@cyberithub audit]# service auditd restart Stopping logging: [ OK ]
Note: In Rocky Linux, default services are owned by SYSTEMD and LSB actions can be performed using systemctl commands but auditd daemon is not controlled by systemctl command, to perform actions on this service, use
“service auditd <action-name>” commands like above.
In next tutorial we will see how to write some basic audit rules using auditctl utility and by modifying audit.rules file directly.