Enabling Auditd

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there, Cybrarians and welcome back to
00:00
the Linux plus course here at Cybrary,
00:00
I'm your instructor Rob Goelz,
00:00
and in today's lesson we're going
00:00
to cover enabling auditd.
00:00
Upon completion of today's lesson,
00:00
you're going to be able to understand the purpose
00:00
and benefit of enabling auditd.
00:00
We're going to talk about the types of
00:00
system events that auditd can log on.
00:00
Then we're going to find out where we can locate
00:00
auditd configuration files and
00:00
>> use the auditctl utility.
00:00
>> Linux does a bunch of system logging by default.
00:00
In the lab this is specific to the system itself.
00:00
In fact, the whole next module
00:00
is going to just be about logging.
00:00
Stay tuned for that.
00:00
However, Linux doesn't log everything.
00:00
It doesn't log when a user goes in and changes
00:00
the file or attempts to access
00:00
a file they may not have access to and also
00:00
doesn't log system process calls.
00:00
This is where auditd comes in.
00:00
It provides you with a way
00:00
more thorough security auditing
00:00
system and it allows you to define security rules.
00:00
Now, auditd can be configured to monitor a few things,
00:00
it can monitor and log
00:00
system events such as file and directory access.
00:00
Who is accessing what file?
00:00
Commands that are run by the users.
00:00
We can look at the system calls
00:00
that are made by applications and
00:00
services and see what they're
00:00
actually touching on the underlying system.
00:00
We can look at network access by users and
00:00
network connection attempts that are made externally.
00:00
The monitoring is defined by creating rules.
00:00
There are three rule types that are used by auditd.
00:00
There's system rules. These are for
00:00
system calls made by applications.
00:00
There's file system rules and that logs
00:00
access to file and directory by users.
00:00
Then there are control rules that are set to
00:00
modify the way auditd behaves.
00:00
Now, auditd rules are stored in
00:00
etc, audit, audit.rules.
00:00
Rules can be defined or modified in this directory,
00:00
but you can also use a
00:00
>> tool called the auditctl command.
00:00
>> The auditctl utility,
00:00
which is what we can use to define rules.
00:00
But these are not persistent,
00:00
these are only valid
00:00
until we reboot and then they're lost.
00:00
In general, if you're going to play with
00:00
auditctl to look at creating audit rules.
00:00
You're going to want to do it test with auditctl,
00:00
and then once you're satisfied,
00:00
you can implement those rules permanently by
00:00
placing them in etc audit, auditd.rules.
00:00
That being said, if you're using
00:00
auditd or really whenever
00:00
you're changing and modifying
00:00
the amount of monitoring you're doing,
00:00
you want to make sure you have sufficient disk space.
00:00
It's a real [LAUGHTER] big problems
00:00
to run out of disk space and
00:00
have your system shut down because
00:00
your log directory fills up.
00:00
The more granular the monitoring,
00:00
the more disk space you're going to need.
00:00
So it really does behoove you to
00:00
think about defining a separate partition,
00:00
like we talked about earlier in this module,
00:00
or implementing log rotation
00:00
is needed to make sure the logs don't get too large.
00:00
We're going to talk more about
00:00
log rotation soon in Module 18.
00:00
Like I said, stay tuned for that.
00:00
But with that, we've reached the end of this lesson.
00:00
In this lesson, we covered the purpose
00:00
and benefit of enabling auditd by
00:00
getting some additional granular security
00:00
that we don't currently have.
00:00
Then we talked about the types of
00:00
system events that auditd can monitor and log on.
00:00
Finally, we looked at the location of
00:00
the configuration files for auditd and
00:00
talked about using the auditctl utility
00:00
to test auditing rules.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in our next lesson.
Up Next