• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / Understanding the auditd.conf and Restarting the Audit Server

Understanding the auditd.conf and Restarting the Audit Server

June 12, 2018 by The Urban Penguin

Linux Audit SystemMoving forward with our series in Linux Security and the LPIC-3 303 exam we turn our attention to configuring the CentOS 7 auditd. The main configuration file for the auditd system is /etc/audit/auditd.conf. The audit directory is restricted and you will need to have root access to read this file or view the contents of the directory /etc/audit/.

$ sudo ls /etc/audit

auditd.conf  audit.rules  audit.rules.prev  audit-stop.rules  rules.d

The main configuration is the .conf file but we also have rules. These rules start with the audit.rules and extend into the /etc/audit/rules.d/ directory. For the moment we concentrate on the configuration file and in a later module we will look at managing and creating rules.

There are many configuration options that can be set with the auditd.conf. To understand these settings take a trip to the man page:

$ man 5 auditd.conf

We will concentrate on 3 settings and their effect on auditing:

$ sudo grep -E 'max_log_file|max_log_file_action|num_logs' /etc/audit/auditd.conf

max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

max_log_file This specifies the maximum size in MB that the log file can grow to. Here it is 8 MB. This may be ok but we have to ensure that we have enough log storage to be able to adequately record all security events, especially during a burst that may occur during an attack.

num_logs If we are rotating the log files when they reach their maximum size we can specify how many to retain. The current log file will be named audit.log and then rotated files have numercal suffix added. The most recent rotated file will be named audit.log.1, the previous log to this would be audit.log.2 and so on. The highest numbered log will be the oldest.

max_log_file_action This is set to ROTATE by default and bring the previous setting into play. This can be set to values such as IGNORE where auditing will just continue, SYSLOG where a notification is sent to the syslog deamon that the logs are full and SUSPEND where looging is suspended. It would seem that the default setting is most effective.

We will increase the maximum size of the log file. In the demonstration we will set it to 20MB, where we would need upto 100MB to store the log and its rotated archives. Once the file has been edited we need to restart the auditd. Security is set within the systemd service unit to prevent manually stopping or restarting the service. We can quickly check the unit file using the cat sub-command to systemctl:

$ systemctl cat auditd.service | grep Refuse

RefuseManualStop=yes

We are not prevented from restarting the service though, we can bypass the unit file by reverting to the legacy service command:

$ sudo service auditd restart

Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

The new 20MB limit will now be in place and we can look forward to reading some interesting log entries.

The video looking at the auditd.conf follows:

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok