Skip to main content
LPIC-3 Exam 303

Understanding the auditd.conf and Restarting the Audit Server

By June 12, 2018September 12th, 2022No Comments

Linux Audit SystemMoving forward with our series in Linux Security and the LPIC-3 303 exam we turn our attention to configuring the CentOS 7 auditd. The main configuration file for the auditd system is /etc/audit/auditd.conf. The audit directory is restricted and you will need to have root access to read this file or view the contents of the directory /etc/audit/.

$ sudo ls /etc/audit

auditd.conf  audit.rules  audit.rules.prev  audit-stop.rules  rules.d

The main configuration is the .conf file but we also have rules. These rules start with the audit.rules and extend into the /etc/audit/rules.d/ directory. For the moment we concentrate on the configuration file and in a later module we will look at managing and creating rules.

There are many configuration options that can be set with the auditd.conf. To understand these settings take a trip to the man page:

$ man 5 auditd.conf

We will concentrate on 3 settings and their effect on auditing:

$ sudo grep -E 'max_log_file|max_log_file_action|num_logs' /etc/audit/auditd.conf

max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

max_log_file This specifies the maximum size in MB that the log file can grow to. Here it is 8 MB. This may be ok but we have to ensure that we have enough log storage to be able to adequately record all security events, especially during a burst that may occur during an attack.

num_logs If we are rotating the log files when they reach their maximum size we can specify how many to retain. The current log file will be named audit.log and then rotated files have numercal suffix added. The most recent rotated file will be named audit.log.1, the previous log to this would be audit.log.2 and so on. The highest numbered log will be the oldest.

max_log_file_action This is set to ROTATE by default and bring the previous setting into play. This can be set to values such as IGNORE where auditing will just continue, SYSLOG where a notification is sent to the syslog deamon that the logs are full and SUSPEND where looging is suspended. It would seem that the default setting is most effective.

We will increase the maximum size of the log file. In the demonstration we will set it to 20MB, where we would need upto 100MB to store the log and its rotated archives. Once the file has been edited we need to restart the auditd. Security is set within the systemd service unit to prevent manually stopping or restarting the service. We can quickly check the unit file using the cat sub-command to systemctl:

$ systemctl cat auditd.service | grep Refuse

RefuseManualStop=yes

We are not prevented from restarting the service though, we can bypass the unit file by reverting to the legacy service command:

$ sudo service auditd restart

Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

The new 20MB limit will now be in place and we can look forward to reading some interesting log entries.

The video looking at the auditd.conf follows: