As we have seen, previously, CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though, this is probably something you would want to install. The required packages are included in the standard repos and we can install the Linux Audit System on Ubuntu 18.04 with the following command:
$ sudo apt install -y auditd audispd-plugins
This will install and start the auditd service and add the plugins so we can talk with the service.
Unlike the service on CentOS 7 it is possible to stop the service, if required, with systemctl. We can examine how this is done by reading the unit file for the auditd service. This is easy with the command systemctl.
$ systemctl cat auditd
The service unit file on CentOS 7:
Description=Security Auditing Service DefaultDependencies=no ## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
[Service] Type=forking PIDFile=/var/run/auditd.pid ExecStart=/sbin/auditd ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ## and comment/delete the next line and uncomment the auditctl line. ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
It is the RefuseManualStop direvctive that disallows the restart in CentOS 7. Compare this to the unit file in Ubuntu 18.04:
Description=Security Auditing Service DefaultDependencies=no After=local-fs.target systemd-tmpfiles-setup.service Conflicts=shutdown.target Before=sysinit.target shutdown.target ConditionKernelCommandLine=!audit=0
[Service] ExecStart=/sbin/auditd -n ## To use augenrules, copy this file to /etc/systemd/system/auditd.service ## and uncomment the next line and delete/comment out the auditctl line. ## Then copy existing rules to /etc/audit/rules.d/ ## Not doing this last step can cause loss of existing rules #ExecStartPost=-/sbin/augenrules --load
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID
We can also see that in CentOS 7 we make use of augenrules and the /etc/audit/rules.d/ directory, whereas on Ubuntu we use just the single file /etc/audit/audit.rules. In both systems this is configurable in the service unit file.
Other than this we will find the services the same and equally useful in tracking exactly who did what on the system . The /var/log/audit/audit.log containing the auid or Actual User ID of any account that is using sudo -i or su to gain an interactive root shell.