Cyberithub

How to Install and Configure Auditd Service in Rocky Linux 8

Advertisements

In this article, I will take you through the steps to install and configure Auditd service in Rocky Linux 8. Linux audit is a great way to make sure that our system is more secure by providing us different analysis on what is happening in our system in depth detail. We write different audit rules to secure our system and to keep eyes on the services and system call that are being executed and interacted within our system. In this tutorial we will mostly focus on Installing and configuring audit package on Rocky Linux.

How to Install and Configure Auditd Service in Rocky Linux 8

How to Install and Configure Auditd Service in Rocky Linux 8

Also Read: How to Install Flutter on Ubuntu 20.04 LTS (Focal Fossa)

There are mostly 2 ways to write audit rules which we will cover in upcoming tutorial. They are:

  • Using auditctl utility (non-persistence rules). More about auditctl utility.
  • Modifying /etc/audit/rules.d/audit.rules file (persistence rules).

 Audit configuration file and all other related information can be found on below path.

[root@cyberithub ~]# cd /etc/audit/rules.d
[root@cyberithub rules.d]# ll
total 4
-rw-r-----. 1 root root   81 Jul 21  2020 audit.rules

In same same directory we can find a ‘audit.rules’ file which has default rules defined.

[root@localhost rules.d]# cat audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

Let’s first Install the Audit Package by using yum install audit command as shown below.

[root@cyberithub audit]# yum install audit
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.funet.fi
 * centos-qemu-ev: ftp.funet.fi
 * epel: www.nic.funet.fi
 * extras: ftp.funet.fi
 * updates: ftp.funet.fi
Resolving Dependencies
--> Running transaction check
---> Package audit.x86_64 0:2.8.5-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
========================================================================================================================================================
 Package                           Arch                               Version                                    Repository                        Size
========================================================================================================================================================
Installing:
 audit                             x86_64                             2.8.5-4.el7                                base                             256 k

Transaction Summary
========================================================================================================================================================
Install  1 Package

Total download size: 256 k
Installed size: 645 k
Is this ok [y/d/N]: y
Downloading packages:
audit-2.8.5-4.el7.x86_64.rpm                                                                                                     | 256 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
 Installing : audit-2.8.5-4.el7.x86_64                                                                                                             1/1
Verifying  : audit-2.8.5-4.el7.x86_64                                                                                                             1/1

Installed:
audit.x86_64 0:2.8.5-4.el7                                                                                                                           

Complete!

Verify if the package is installed successfully by using rpm -qa | grep audit command as shown below.

[root@cyberithub audit]# rpm -qa | grep audit
audit-libs-2.8.5-4.el7.x86_64
audit-2.8.5-4.el7.x86_64
audit-libs-python-2.8.5-4.el7.x86_64

Configuring the Audit Service

Audit service can be configured by modifying the configuration file present at /etc/audit/auditd.conf which is configured with default values. To start the audit service, use below command.

[root@cyberithub audit]# service auditd start

To check the status of auditd daemon, use below command.

[root@cyberithub audit]# systemctl status auditd
auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-01-20 21:18:32 IST; 6s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 12427 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 12422 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 12423 (auditd)
CGroup: /system.slice/auditd.service
       └─12423 /sbin/auditd

Jan 20 21:18:32 cyberithub augenrules[12427]: lost 201
Jan 20 21:18:32 cyberithub augenrules[12427]: backlog 1
Jan 20 21:18:32 cyberithub augenrules[12427]: enabled 1
Jan 20 21:18:32 cyberithub augenrules[12427]: failure 1
Jan 20 21:18:32 cyberithub augenrules[12427]: pid 12423
Jan 20 21:18:32 cyberithub augenrules[12427]: rate_limit 0
Jan 20 21:18:32 cyberithub augenrules[12427]: backlog_limit 8192
Jan 20 21:18:32 cyberithub augenrules[12427]: lost 201
Jan 20 21:18:32 cyberithub augenrules[12427]: backlog 1
Jan 20 21:18:32 cyberithub systemd[1]: Started Security Auditing Service.

One important point to note here that service command is the only way to interact with auditd daemon. You can use systemctl command only for two actions: enable and status. So if you try to use it let's say for stopping the audit service then you might end up with below error.

[root@cyberithub audit]# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

So to solve the above error you can either restart or even stop and start the audit daemon by service command as shown below.

[root@cyberithub audit]# service auditd stop
Stopping logging:                                          [  OK  ]
[root@cyberithub audit]# service auditd start
Redirecting to /bin/systemctl start auditd.service

To restart the auditd daemon, you need to use service auditd restart command as shown below.

[root@cyberithub audit]# service auditd restart
Stopping logging:                                          [  OK  ]

Note: In Rocky Linux, default services are owned by SYSTEMD and LSB actions can be performed using systemctl commands but auditd daemon is not controlled by systemctl command, to perform actions on this service, use “service auditd <action-name>” commands like above.

In next tutorial we will see how to write some basic audit rules using auditctl utility and by modifying audit.rules file directly.

Leave a Comment