Skip to main content
Skip table of contents

Installing and Configuring Auditd

This document describes how to install auditd in an Ubuntu an or CentOS like OS. It will configure auditd to log messages for effective security monitoring.

This requires sudo access.

Prerequisites

To ensure log delivery to Microsoft Sentinel, the Log Analytics agent should already be configured to send Audit logs to Sentinel

Procedures to follow to ingest custom logs with Log Analytics agent

Installation

SHELL 
# For systems with APT
sudo apt install -y auditd curl

# For systems with YUM
sudo yum -y install auditd curl

Configuration

Create the rule file.

SHELL 
sudo touch /etc/audit/rules.d/quantum_auditd.rules
sudo chown root:root /etc/audit/rules.d/quantum_auditd.rules
sudo chmod 640 /etc/audit/rules.d/quantum_auditd.rules
sudo vi /etc/audit/rules.d/quantum_auditd.rules

We edit the file quantum-sec.rules to add Armor Security verified rules. These rules can be found in auditd-config repository

Edit the configuration file

SHELL 
sudo vi /etc/audit/auditd.conf

We replace the contents of the file with Armor Security’s best practice configuration. This configuration can be found in auditd-config repository

There are some configurations that are only available for Auditd 3.0 and later. These are commented out by default. If the Linux distro has Auditd 3.0 installed, then we should uncomment these. Run sudo auditctl -v to check the version of the Audit that’s running.

Configuration that are only available in the 3.0 and later have been commented in the conf file with the string ## DO NOT REMOVE!!! AUDITD 3.0 ONLY ## (e.g. configuration like disp_qos). These lines should be uncommented.

Restart service

Finally, we restart the auditd service:

SHELL 
sudo service auditd restart

Fine tuning Auditd buffer size

The buffer size will need to be fine tuned. It is set at 8 MB, but it should be increased for systems that are very busy.

Check the lost count

SHELL 
$ sudo auditctl -s
enabled 1
failure 1
pid 1710
rate_limit 1000
backlog_limit 8192
lost 3377
backlog 0
loginuid_immutable 0 unlocked

A non zero count shows some events were lost, and that we need to increase the buffer size.

Increase the buffer size

SHELL 
$ sudo vi /etc/audit/rules.d/quantum_auditd.rules

Modify the below line to increase it from 8 MB

SHELL 
-b 8192

Then restart auditd

SHELL 
sudo service auditd restart

Reset the lost count

SHELL 
$ sudo auditctl -s --reset-lost

There will be a few events lost during startup, but the idea is to run auditctl -s several times after startup and make sure it’s not incrementing exponentially and is staying stable.

NOTE: “auditctl -s –reset-lost” only works on auditd versions 2.x and up. It will not work on Ubuntu 20.04 1.x versions of auditd.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close