/
Installing and Configuring Auditd

Installing and Configuring Auditd

Owned by Integration Service Account
Last updated: 07 January 2024
2 min read

This document describes how to install auditd in an Ubuntu an or CentOS like OS. It will configure auditd to log messages for effective security monitoring.

This requires sudo access.

Prerequisites

To ensure log delivery to Microsoft Sentinel, the Log Analytics agent should already be configured to send Audit logs to Sentinel

Procedures to follow to ingest custom logs with Log Analytics agent

Installation

# For systems with APT sudo apt install -y auditd curl # For systems with YUM sudo yum -y install auditd curl

Configuration

Create the rule file.

sudo touch /etc/audit/rules.d/quantum_auditd.rules sudo chown root:root /etc/audit/rules.d/quantum_auditd.rules sudo chmod 640 /etc/audit/rules.d/quantum_auditd.rules sudo vi /etc/audit/rules.d/quantum_auditd.rules

We edit the file quantum-sec.rules to add Armor Security verified rules. These rules can be found in auditd-config repository

Edit the configuration file

sudo vi /etc/audit/auditd.conf

We replace the contents of the file with Armor Security’s best practice configuration. This configuration can be found in auditd-config repository

There are some configurations that are only available for Auditd 3.0 and later. These are commented out by default. If the Linux distro has Auditd 3.0 installed, then we should uncomment these. Run sudo auditctl -v to check the version of the Audit that’s running.

Configuration that are only available in the 3.0 and later have been commented in the conf file with the string ## DO NOT REMOVE!!! AUDITD 3.0 ONLY ## (e.g. configuration like disp_qos). These lines should be uncommented.

Restart service

Finally, we restart the auditd service:

Fine tuning Auditd buffer size

The buffer size will need to be fine tuned. It is set at 8 MB, but it should be increased for systems that are very busy.

Check the lost count

A non zero count shows some events were lost, and that we need to increase the buffer size.

Increase the buffer size

Modify the below line to increase it from 8 MB

Then restart auditd

Reset the lost count

There will be a few events lost during startup, but the idea is to run auditctl -s several times after startup and make sure it’s not incrementing exponentially and is staying stable.

NOTE: “auditctl -s –reset-lost” only works on auditd versions 2.x and up. It will not work on Ubuntu 20.04 1.x versions of auditd.