Configuring and using auditd

Super Secure

Article from Issue 146/2013

Author(s): Kurt Seifried

The auditd tool can provide system logging capabilities to satisfy even the most paranoid users.

A certain subset of Linux users is extremely paranoid about security. These are folks that want to see every system call and file access that a program makes and want to ensure that any access to specific data files is logged securely. The auditd subsystem [1] provides all these capabilities and more.

Why auditd and Not syslog?

Why not just use syslog/rsyslog like everyone else? One of the biggest differences between auditd and a syslog logger is that auditd runs in kernel space, and syslog runs in user space. For a syslog-style daemon, you can't log any events until syslog is running. That means you could lose startup events. For example, if an attacker were to modify the startup scripts for a service that starts before syslog, they would be able to avoid any logging of their actions. Additionally, syslog can lose messages and events, and nothing much will happen. However, you can configure auditd to stop the system if an error occurs or if messages are unable to be logged locally or remotely.

Enabling auditd

Getting audit running is easy; getting auditd running securely, however, requires a few extra steps. The first and most obvious step is to enable auditd with the command:

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia