This document describes how to install auditd in an Ubuntu an or CentOS like OS. It will configure auditd to log messages for effective security monitoring.
This requires sudo access.
Prerequisites
To ensure log delivery to Microsoft Sentinel, the Log Analytics agent should already be configured to send Audit logs to Sentinel
Procedures to follow to ingest custom logs with Log Analytics agent
Installation
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
# For systems with APT
sudo apt install -y auditd curl
# For systems with YUM
sudo yum -y install auditd curl |
Configuration
Create the rule file.
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
sudo touch /etc/audit/rules.d/quantum_auditd.rules
sudo chown root:root /etc/audit/rules.d/quantum_auditd.rules
sudo chmod 640 /etc/audit/rules.d/quantum_auditd.rules
sudo vi /etc/audit/rules.d/quantum_auditd.rules |
We edit the file quantum-sec.rules to add Armor Security verified rules. These rules can be found in auditd-config repository
Edit the configuration file
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
sudo vi /etc/audit/auditd.conf |
We replace the contents of the file with Armor Security’s best practice configuration. This configuration can be found in auditd-config repository
There are some configurations that are only available for Auditd 3.0 and later. These are commented out by default. If the Linux distro has Auditd 3.0 installed, then we should uncomment these. Run sudo auditctl -v to check the version of the Audit that’s running.
Configuration that are only available in the 3.0 and later have been commented in the conf file with the string ## DO NOT REMOVE!!! AUDITD 3.0 ONLY ## (e.g. configuration like disp_qos). These lines should be uncommented.
Restart service
Finally, we restart the auditd service:
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
sudo service auditd restart |
Fine tuning Auditd buffer size
The buffer size will need to be fine tuned. It is set at 8 MB, but it should be increased for systems that are very busy.
Check the lost count
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
$ sudo auditctl -s
enabled 1
failure 1
pid 1710
rate_limit 1000
backlog_limit 8192
lost 3377
backlog 0
loginuid_immutable 0 unlocked |
A non zero count shows some events were lost, and that we need to increase the buffer size.
Increase the buffer size
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
$ sudo vi /etc/audit/rules.d/quantum_auditd.rules |
Modify the below line to increase it from 8 MB
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
-b 8192 |
Then restart auditd
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
sudo service auditd restart |
Reset the lost count
| Code Block |
|---|
| language | shell |
|---|
| collapse | false |
|---|
|
$ sudo auditctl -s --reset-lost |
There will be a few events lost during startup, but the idea is to run auditctl -s several times after startup and make sure it’s not incrementing exponentially and is staying stable.
NOTE: “auditctl -s –reset-lost” only works on auditd versions 2.x and up. It will not work on Ubuntu 20.04 1.x versions of auditd.