\n<\/p>\n
In today\u2019s world of increasing security threats and regulatory requirements, auditing your Linux servers has become a necessity. Auditing helps ensure that unexpected changes aren’t made to your system, and it provides a record of system activity for compliance auditing. This article will guide you through using <\/p>\n <\/p>\n <\/p>\n <\/p>\n Before diving into <\/p>\n For Debian\/Ubuntu:<\/p>\n <\/p>\n <\/p>\n For RHEL\/CentOS:<\/p>\n <\/p>\n <\/p>\n After installation, enable and start the audit daemon:<\/p>\n <\/p>\n <\/p>\n Ensure that the service is running:<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n To see what audit rules are currently in place, use:<\/p>\n <\/p>\n <\/p>\n <\/p>\n To monitor a specific file or directory, you can add an audit rule. For example, to audit changes to the <\/p>\n <\/p>\n <\/p>\n <\/p>\n \n<\/ul>\n <\/p>\n <\/p>\n To remove a specific audit rule, you can issue:<\/p>\n <\/p>\n <\/p>\n <\/p>\n Logs generated by Auditd are stored in <\/p>\n <\/p>\n <\/p>\n <\/p>\n You may wish to audit successful and failed authentication attempts. To audit this, add the following rules:<\/p>\n <\/p>\n <\/p>\n <\/p>\n You can audit specific system calls to track unusual behaviors. For example, if you wanted to track file creations:<\/p>\n <\/p>\n <\/p>\n This rule audits the <\/p>\n <\/p>\n To make your auditing rules persistent across system reboots, include them in the <\/p>\n For example, edit the file:<\/p>\n <\/p>\n <\/p>\n Then add:<\/p>\n <\/p>\n <\/p>\n <\/p>\n Limit the Number of Audit Rules<\/strong>: Having too many rules can affect performance. Selectively choose what needs monitoring.<\/p>\n \n<\/li>\n <\/p>\n Analyze Logs Regularly<\/strong>: Review your audit logs frequently to catch any unusual activities.<\/p>\n \n<\/li>\n <\/p>\n Use Audit Keys Wisely<\/strong>: Create informative keys to categorize different types of logs, making it easier to search.<\/p>\n \n<\/li>\n <\/p>\n Integrate with an SIEM<\/strong>: Consider forwarding Audit logs to a Security Information and Event Management (SIEM) solution for centralized monitoring.<\/p>\n \n<\/li>\n <\/p>\n \n<\/ol>\n <\/p>\n <\/p>\n Linux server auditing using <\/p>\n Remember that while auditing is a proactive measure, it’s just one piece of a larger security framework. Regularly updating your security practices and staying informed about new vulnerabilities are equally essential for maintaining a secure server environment.<\/p>\n <\/p>\n Happy auditing!<\/p>\n\n","protected":false},"excerpt":{"rendered":" In today\u2019s world of increasing security threats and regulatory requirements, auditing your Linux servers has become a necessity. Auditing helps ensure that unexpected changes aren’t made to your system, and it provides a record of system activity for compliance auditing. This article will guide you through using auditctl, a part of the Linux Auditing System, […]<\/p>\n","protected":false},"author":2,"featured_media":1726,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[22],"tags":[1122,1121,218,233,265,266],"class_list":["post-1725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-security","tag-auditctl","tag-auditing","tag-comprehensive","tag-guide","tag-linux","tag-server","et-has-post-format-content","et_post_format-et-post-format-standard"],"yoast_head":"\nauditctl<\/code>, a part of the Linux Auditing System, to effectively monitor your Linux server.<\/p>\nWhat is
auditctl<\/code>?<\/h2>\nauditctl<\/code> is a command-line utility used to control the Linux auditing system. It allows system administrators to configure audit rules that govern what events the audit daemon (auditd<\/code>) will log. When properly configured, auditd<\/code> listens for events such as file access, user authentication, and system calls, providing detailed records of what’s happening on your server.<\/p>\nInstalling the Audit Daemon<\/h2>\n
auditctl<\/code>, make sure the Audit daemon is installed on your system. On most Linux distributions, you can install it using your package manager.<\/p>\nsudo apt-get update
\nsudo apt-get install auditd audispd-plugin<\/code><\/pre>\nsudo yum install audit<\/code><\/pre>\nsudo systemctl enable auditd
\nsudo systemctl start auditd<\/code><\/pre>\nsudo systemctl status auditd<\/code><\/pre>\nBasic Commands of
auditctl<\/code><\/h2>\nCheck Current Audit Rules<\/h3>\n
sudo auditctl -l<\/code><\/pre>\nAdd an Audit Rule<\/h3>\n
\/etc\/passwd<\/code> file, you would run:<\/p>\nsudo auditctl -w \/etc\/passwd -p rwxa -k passwd_changes<\/code><\/pre>\n<\/p>\n
-w<\/code> specifies the watch file.<\/li>\n-p<\/code> specifies the permissions to monitor (read, write, execute, attribute change).<\/li>\n-k<\/code> assigns a key to the rule, enabling easier searches in logs.<\/li>\nRemove an Audit Rule<\/h3>\n
sudo auditctl -d \/etc\/passwd -p rwxa -k passwd_changes<\/code><\/pre>\nListing Log Entries<\/h3>\n
\/var\/log\/audit\/audit.log<\/code>. You can use the ausearch<\/code> command to filter and search through the generated logs. For instance:<\/p>\nsudo ausearch -k passwd_changes<\/code><\/pre>\nAdvanced Auditing Techniques<\/h2>\n
Auditing User Logins<\/h3>\n
sudo auditctl -w \/var\/log\/secure -p rwxa -k auth_logs<\/code><\/pre>\nAuditing System Calls<\/h3>\n
sudo auditctl -a always,exit -F arch=b64 -S open,creat,unlink -k file_operations<\/code><\/pre>\nopen<\/code>, creat<\/code>, and unlink<\/code> system calls for 64-bit architecture, ensuring you catch all attempts to create or delete files.<\/p>\nAutomating Auditing<\/h3>\n
\/etc\/audit\/audit.rules<\/code> file. Add the same rules using the proper syntax.<\/p>\nsudo nano \/etc\/audit\/audit.rules<\/code><\/pre>\n-w \/etc\/passwd -p rwxa -k passwd_changes<\/code><\/pre>\nBest Practices for Linux Server Auditing<\/h2>\n
<\/p>\n
Conclusion<\/h2>\n
auditctl<\/code> is an essential practice for any system administrator committed to ensuring server integrity and security. By following the guidelines in this article, you can set up an effective auditing strategy that helps monitor and protect your Linux servers from unauthorized access and potential breaches. <\/p>\n