Linux Audit Audit (3)--audit service configuration

The audit daemon can be configured through the/etc/audit/auditd.conf file, and the default AUDITD configuration file can meet the requirements of most environments.

Local_events =Yeswrite_logs=Yeslog_file=/var/log/audit/Audit.loglog_group=Rootlog_format=Rawflush=Incremental_asyncfreq= -Max_log_file=8Num_logs=5Priority_boost=4Disp_qos=Lossydispatcher=/sbin/Audispdname_format=none# #name=mydomainmax_log_file_action=Rotatespace_left= thespace_left_action=Syslogaction_mail_acct=Rootadmin_space_left= -admin_space_left_action=suspenddisk_full_action=suspenddisk_error_action=Suspenduse_libwrap=yes# #tcp_listen_port=Tcp_listen_queue=5tcp_max_per_addr=1# #tcp_client_ports=1024x768-65535Tcp_client_max_idle=0enable_krb5=Nokrb5_principal=auditd# #krb5_key_file=/etc/audit/audit.keydistribute_network= No

If your environment needs to meet strict security rules, such as the following configuration can be consulted:

Log_file:audit the path of the log placement. The place where the logs are placed is preferably a separate partition (mount point), which prevents other processes from consuming the path and provides AUDITD with the exact amount of space left.

Max_log_file: Specifies the maximum size, in m, for each individual audit log file, which must be set to take full advantage of the available space that holds the partition where the audit log file resides. The default is 8M.

Max_log_file_action: When the maximum size of the log is reached, the action that needs to be performed, when set to Keep_logs, prevents the log from being rewritten. Let's take a look at the following records:

linux-xdyuna:/var/log/Audit # Lltotal36496-RW-------1Root root3780142Mar to  the: +Audit.log-R--------1Root root8388893Mar -  -: +Audit.log.1-R--------1Root root8388625Mar -  -: theAudit.log.2-R--------1Root root8388806Mar -  -: theAudit.log.3-R--------1Root root8388670Mar -  -: theAudit.log.4Linux-xdyuna:/var/log/Audit # Lltotal32828-RW-------1Root root27948Mar to  the: theAudit.log-R--------1Root root8388809Mar to  the: theAudit.log.1-R--------1Root root8388893Mar -  -: +Audit.log.2-R--------1Root root8388625Mar -  -: theAudit.log.3-R--------1Root root8388806Mar -  -: theAudit.log.4

The first query, Audit.log has not been written full to 8 m, the second query should have been to 8 m, re-write the Audit.log. So where did the previous audit.log go, we looked carefully at the size of each log file, not hard to find. The first query to the audit.log.4 has gone, the system thinks this is the oldest log, because we set the Num_logs is 5, so the oldest log is deleted, or understood as the new log to the oldest log to cover. If we don't want the log to be overwritten, we can set it to keep_logs. As shown below, the log of the audit has been growing, and at last regardless of the num_logs set to how much, the log continues to increase, so it is best to ensure that the space for audit log is a separate partition, otherwise it will affect the record of other system logs.

linux-xdyuna:/var/log/Audit # Lltotal61104-RW-------1Root root3791866Mar to Ten: onAudit.log-R--------1Root root8388849Mar to Ten: onAudit.log.1-R--------1Root root8388772Mar to  the: -Audit.log.2-R--------1Root root8388776Mar to  the: -Audit.log.3-R--------1Root root8388809Mar to  the: theAudit.log.4-R--------1Root root8388893Mar -  -: +Audit.log.5-R--------1Root root8388625Mar -  -: theAudit.log.6-R--------1Root root8388806Mar -  -: theAudit.log.7

Let me take a look at the max_log_file_action in total there are a few different movements of the specific English explanation.

File
Valid values are ignore, syslog, suspend, rotate and keep_logs. If set to ignore, the audit daemon does nothing.



keep_logs option is similar-rotate except it does not use the Num_logs setting. This prevents audit logs from being overwritten.

Space_left: Specify how much space is left on the disk, perform space_left_action specified action, this value is set to ensure that the administrator has enough time to respond and clean up the disk space, the setting of this value depends on the rate of audit log generation. The default is 75M.

Space_left_action: The action that is set when disk space is not nearly enough. Let's just read the English explanation.

 This parameter tells the system "what action should take when the system had detected that it was starting to get low on di SK Space. 
 Valid values is ignore, syslog, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. 
 syslog  means that it'll issue a warning to syslog. 
 Email means that it'll send a warning to the e-mail account specified in  action_m Ail_acct as well as sending the message to syslog. 
 Exec/path-to-script'll execute the script. You cannot pass parameters to the script. 
 suspend  would cause the audit daemon to stop writing records to the disk. The daemon would still be alive.  
 The single option would cause the audit daemon to put the computer system in  single User mode. 
 Halt option would cause the audit daemon to shutdown the computer system. 

Admin_space_left: Indicates the minimum amount of disk space remaining, and when this value is reached, executes the admin_space_left_action specified action.

Admin_space_left_action: Can be set to single, make the system Single-user mode, and let the administrator free up disk space. It is better to set by default. When the Space_left is reached, the syslog escalation warning is performed and the log is stopped when the Admin_space_left is reached.

suspend, single, and halt.

Disk_full_action: The action that is performed when there is no space on the partition. The default is suspend.

Disk_error_action: The action that is performed when the partition error occurs. These actions are based on the security rules you need.

Flush: This parameter is used in conjunction with Freq, and Freq indicates how many records can be sent to disk before forcing synchronization with the hardware driver. This ensures that the audit data is kept in sync with the log file on the disk. Keep the default values.

More specific configuration parameters can refer to the

Https://linux.die.net/man/5/auditd.conf

Linux Audit Audit (3)--audit service configuration