Maintaining a secure system is crucial, and auditing security events is a fundamental step toward achieving that. By enabling and configuring a security audit service on Ubuntu 24.04, administrators can monitor system activities, identify potential vulnerabilities, and ensure compliance with security standards.
In this guide, I’ll walk you through the process of enabling and configuring the auditd service on Ubuntu 24.04. We’ll cover everything from installation to advanced configurations, ensuring you have the tools to monitor your system effectively.
1. What is auditd and Why is It Important?
The Linux Audit System, powered by auditd, is designed to log security-relevant information, providing insights into actions like file access, system calls, authentication attempts, and configuration changes. It is especially useful in identifying breaches, monitoring policy compliance, and tracking unauthorized actions.
Key Features:
- Logs system-level activities.
- Helps in detecting unauthorized access.
- Complies with regulatory requirements (e.g., GDPR, HIPAA).
2. Prerequisites
Before you begin, ensure you have the following:
- Ubuntu 24.04 installed and running.
- Administrative privileges (root or sudo access).
- Internet connectivity for package installation.
3. Installing the auditd Package
The auditd package contains the core audit daemon and supporting tools. To install it:
sudo apt update
sudo apt install auditd audispd-plugins
Verify the installation:
auditctl -v
You should see the version information for auditctl, confirming that auditd is installed.
4. Configuring auditd for Security Auditing
The primary configuration file for auditd is located at /etc/audit/auditd.conf. Open it for editing:
sudo vim /etc/audit/auditd.conf
Key Parameters to Configure:
log_file: Location of the audit log.
Default:/var/log/audit/audit.loglog_format: Format of the logs (RAWorENRICHED).
Example:log_format = ENRICHEDpriority_boost: Boosts audit daemon priority.
Example:priority_boost = 4max_log_file: Maximum size of a log file in MB.
Example:max_log_file = 8max_log_file_action: Action to take when the log file size is exceeded.
Options:ignore,rotate,suspend,syslog,exec.
Example:max_log_file_action = rotate
Save and exit the file after making changes.
Restart the auditd service to apply configurations:
sudo systemctl restart auditd
5. Adding Audit Rules
Audit rules define what system activities to monitor. These rules can be set using the auditctl command or defined in /etc/audit/rules.d/audit.rules.
Examples of Audit Rules:
Audit all login attempts:
sudo auditctl -a always,exit -F arch=b64 -S execve -k login_attempts
Monitor all actions on /etc/passwd:
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
Persist these rules by adding them to /etc/audit/rules.d/audit.rules.
sudo vim /etc/audit/rules.d/audit.rules
Add your rules, save the file. It should look like this:
## Audit docker deamon
-w /usr/bin/dockerd -k docker
## Audit avery login
-a always,exit -F arch=b64 -S execve -k login_attempts
## Audit every access to passwd
-w /etc/passwd -p wa -k passwd_changesAand restart auditd:
sudo systemctl restart auditd
6. Viewing and Managing Audit Logs
Audit logs are stored in /var/log/audit/audit.log. Use ausearch and aureport for querying logs:
Generate a summary report:
sudo aureport -l
Search by keyword:
sudo ausearch -k passwd_changes
7. Setting Up Log Rotation
To avoid large log files consuming disk space, configure log rotation in /etc/audit/auditd.conf:
max_log_file = 10
max_log_file_action = rotate
8. Advanced Audit Configurations
Enable real-time log forwarding to a central server using the audispd plugin:
Set:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
Open the configuration file:
sudo vim /etc/audisp/plugins.d/syslog.conf
Restart the audit dispatcher:
sudo systemctl restart auditd
9. Testing Your Audit Setup
To verify your setup, perform actions that should trigger audit rules. For example:
Check the audit log:
sudo ausearch -k passwd_changes
Modify /etc/passwd:
sudo vim /etc/passwd
10. Auditing the Docker Daemon and Containers with auditd
Auditing the Docker daemon and containers with auditd adds an extra layer of security to your system. Since Docker runs with elevated privileges, any malicious activity could have severe implications. By monitoring Docker-related activities, you can detect unauthorized access, configuration changes, and suspicious container behavior.
Step 1: Monitor Docker Daemon Activity
To monitor the Docker daemon (dockerd), add an audit rule for its executable. This ensures that any access or execution of the daemon is logged:
sudo auditctl -w /usr/bin/dockerd -p x -k docker_daemon_activity
Explanation:
-w /usr/bin/dockerd: Watches the Docker daemon binary.-p x: Monitors execution events.-k docker_daemon_activity: Tags the log entries with a key for easy searching.
Step 2: Monitor Docker Configuration Files
Docker relies on configuration files that you can monitor for unauthorized changes. For example, to audit changes to daemon.json, add the following rule:
sudo auditctl -w /etc/docker/daemon.json -p wa -k docker_config_changes
Explanation:
-w /etc/docker/daemon.json: Watches the Docker configuration file.-p wa: Logs write (w) and attribute change (a) events.-k docker_config_changes: Tags the log entries.
Step 3: Monitor Container Activities
To audit container activities, monitor the Docker container runtime directory. This will log events like container creation, deletion, and modification. For example:
sudo auditctl -w /var/lib/docker/containers -p wa -k docker_container_activity
Explanation:
-w /var/lib/docker/containers: Watches the directory where Docker containers store metadata.-p wa: Logs write (w) and attribute change (a) events.-k docker_container_activity: Tags the log entries.
Step 4: Persistent Docker Audit Rules
To make the Docker audit rules persistent, add them to the /etc/audit/rules.d/audit.rules file:
sudo nano /etc/audit/rules.d/audit.rules
Add the following lines:
-w /usr/bin/dockerd -p x -k docker_daemon_activity
-w /etc/docker/daemon.json -p wa -k docker_config_changes
-w /var/lib/docker/containers -p wa -k docker_container_activity
Save the file and restart the auditd service:
sudo systemctl restart auditd
Step 5: Query Docker Audit Logs
Use ausearch to query logs related to Docker activities. For example:
Search for container activities:
sudo ausearch -k docker_container_activity
Search for configuration changes:
sudo ausearch -k docker_config_changes
Search for daemon activity:
sudo ausearch -k docker_daemon_activity
By integrating Docker monitoring into your auditd setup, you’ve further strengthened the security of your Ubuntu system. These rules allow you to track and analyze Docker-related activities, providing critical insights into potential vulnerabilities and unauthorized actions.
With this combined setup, you are now better equipped to maintain a secure and well-audited environment.
Conclusion
By enabling and configuring auditd on Ubuntu 24.04, you’ve significantly enhanced your system's security posture. This setup provides real-time monitoring, detailed logging, and actionable insights to protect against unauthorized activities.
Moving forward, you can fine-tune audit rules to match your organization’s needs or integrate with log management tools for deeper analytics.
Stay secure, and let me know how this setup works for you!