Configure Auditd and how to leverage it

Learn how to config and write rules to detect malicious activities

Refs

• https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-audit-comp.html

• https://linux.die.net/man/7/audit.rules

When I was working as a Security Engineer, my company only used Syslog, and I didn't know whether it is enough logs or not. I noticed most of the SOC center collect auditd log

How to configure it

Auditd is developed by Red Hat so RHEL usually has it built-in so most of the time you just need to enable it and configure its rules, below are all related files and processes of auditd

I copy from openSUSE Auditd documentation

Let's start with audit.rules which is usually stored at/etc/audit/rules.d, this file contains all the rules that you will define for Auditd. The rules will look something like this (I'll explain the rules later)

By default Auditd does not come with default rules whatsoever, you need to write your own manually or you just be like me and clone other people's Auditd rules (with mad respect for them)

Script to install and applied Neo23x rules

The package manager will depend on your system, mine is ubuntu, and yours may be RHEL or Centos

wget -O /etc/audit/rules.d/ https://github.com/Neo23x0/auditd/blob/master/audit.rules
sudo systemctl restart auditd.service

After that, you can use auditctl to check your configuration (the command will check are there any rules have applied)

sudo auditctl -l 

Configure Syslog to send the auditd log

By default Syslog does not collect auditd logs, you will have to configure it by changing active = no -> active = yes in this file: /etc/audisp/plugins.d/syslog.conf and after that restart the service

# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

# IF YOU SEE THE ACTIVE = NO -> CHANGE IT INTO YES
active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_INFO
format = string

Configure Rsyslog

Also by default Rsyslog does not collect auditd logs, you have to config a little bit more. you go to the /etc/rsyslog.conf and add these line to the config file on the client

# auditd audit.log  
$ModLoad imfile
$InputFileName /var/log/audit/audit.log  
$InputFileTag tag_audit_log:  
$InputFileStateFile audit_log  
$InputFileSeverity info  
$InputFileFacility local6  
$InputRunFileMonitor

Use case

Refs:

• https://detect.fyi/file-integrity-monitoring-with-auditd-b9423a52feef