DCA Security FAQ‎ > ‎

System Accounting with auditd

posted Oct 10, 2012, 7:30 AM by Sachchida Ojha
The auditd service is provided for system auditing. By default, the service audits about security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. The audit service, configured with at least its default rules, is strongly recommended for all sites. Note that comprehensive auditing might affect your system's performance.

1.Enable the auditd service
Ensure that the auditd service is enabled by running
chkconfig auditd on

2.Configure auditd data retention

3.Configure auditd rules for comprehensive auditing
# cp /usr/share/doc/audit-1.7.17/stig.rules /etc/audit/audit.rules

4.Record events that modify date and time information
Add the following to /etc/audit/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

5.Record events that modify user/group information
Add the following to /etc/audit/audit.rules, to capture events that modify account changes:
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

6.Record attempts to alter logon and logout events
The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing logon events, add the following to /etc/audit/audit.rules:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins

7.Record attempts to alter process and session initiation information
The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to /etc/audit/audit.rules:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

8.Ensure auditd collects discretionary access control permission modification events
At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules,
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

9.Ensure auditd collects unauthorized (and unsuccessful) attempts to access files
At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Comments