Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

This document describes how to install auditd in an Ubuntu an or CentOS like OS. It will configure auditd to log messages for effective security monitoring.

This requires sudo access.

Prerequisites

To ensure log delivery to Microsoft Sentinel, the Log Analytics agent should already be configured to send Audit logs to Sentinel

Procedures to follow to ingest custom logs with Log Analytics agent

Installation

# For systems with APT
sudo apt install -y auditd curl

# For systems with YUM
sudo yum -y install auditd curl

Configuration

Create the rule file.

sudo touch /etc/audit/rules.d/quantum_auditd.rules
sudo chown root:root /etc/audit/rules.d/quantum_auditd.rules
sudo chmod 640 /etc/audit/rules.d/quantum_auditd.rules
sudo vi /etc/audit/rules.d/quantum_auditd.rules

We edit the file quantum-sec.rules to add Armor Security verified rules. These rules can be found in auditd-config repository

Edit the configuration file

sudo vi /etc/audit/auditd.conf

We replace the contents of the file with Armor Security’s best practice configuration. This configuration can be found in auditd-config repository

There are some configurations that are only available for Auditd 3.0 and later. These are commented out by default. If the Linux distro has Auditd 3.0 installed, then we should uncomment these. Run sudo auditctl -v to check the version of the Audit that’s running.

Configuration that are only available in the 3.0 and later have been commented in the conf file with the string ## DO NOT REMOVE!!! AUDITD 3.0 ONLY ## (e.g. configuration like disp_qos). These lines should be uncommented.

Restart service

Finally, we restart the auditd service:

sudo service auditd restart

Fine tuning Auditd buffer size

The buffer size will need to be fine tuned. It is set at 8 MB, but it should be increased for systems that are very busy.

Check the lost count

$ sudo auditctl -s
enabled 1
failure 1
pid 1710
rate_limit 1000
backlog_limit 8192
lost 3377
backlog 0
loginuid_immutable 0 unlocked

A non zero count shows some events were lost, and that we need to increase the buffer size.

Increase the buffer size

$ sudo vi /etc/audit/rules.d/quantum_auditd.rules

Modify the below line to increase it from 8 MB

-b 8192

Then restart auditd

sudo service auditd restart

Reset the lost count

$ sudo auditctl -s --reset-lost

There will be a few events lost during startup, but the idea is to run auditctl -s several times after startup and make sure it’s not incrementing exponentially and is staying stable.

NOTE: “auditctl -s –reset-lost” only works on auditd versions 2.x and up. It will not work on Ubuntu 20.04 1.x versions of auditd.

  • No labels