Linux Audit Framework Configuration

2 min read Infrastructure & DevOps Security

Linux Audit Framework Configuration

The Linux Audit framework (auditd) provides comprehensive system call auditing capabilities essential for security monitoring and compliance. Proper configuration captures security-relevant events while maintaining system performance. Understanding audit rules syntax enables precise event collection tailored to specific security requirements.

Configure auditd for comprehensive security monitoring:

# Basic auditd configuration in /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
max_log_file = 50
max_log_file_action = ROTATE
num_logs = 10
priority_boost = 4
flush = INCREMENTAL_ASYNC
freq = 50

# System call auditing rules in /etc/audit/rules.d/security.rules
# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

# File integrity monitoring
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k privileged
-w /etc/ssh/sshd_config -p wa -k sshd_config

# System call monitoring
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system_locale
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

Configure log file monitoring for security events:

# Install and configure aide for file integrity monitoring
apt-get install aide
aideinit

# Configure critical file monitoring
cat >> /etc/aide/aide.conf << EOF
/boot R+sha256
/bin R+sha256
/sbin R+sha256
/lib R+sha256
/lib64 R+sha256
/usr/bin R+sha256
/usr/sbin R+sha256
EOF

# Schedule regular integrity checks
echo "0 5 * * * /usr/bin/aide --check | mail -s 'AIDE Report' [email protected]" | crontab -

Performance tuning ensures audit logging doesn't impact system operations:

# Tune audit buffer to prevent event loss
auditctl -b 8192  # Increase buffer size
auditctl -f 1     # Set failure mode to printk

# Monitor audit performance
aureport --summary
ausearch --start today --raw | wc -l  # Count today's events

# Implement rate limiting for high-volume events
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F rate_limit=100 -k access