Audit Primer

  09 Dec 2015


What the audit does is to record events and save it in log file. audit kernel component: record event and intercept system calls from user applications. auditd: collect information from the kernel component and create log entries.

main config: /etc/audit/auditd.conf

you could set maximum log file size to be 8MB and rotate it when it’s more than 8MB.

max_log_file: 8 max_log_file_action: ROTATE

Let’s write the first rule with:

auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange ( or add rule in /etc/audit/rules.d/audit.rules )

And, restart the service to take an effect service auditd restart

Usually, if auditd is running, audit messages will be recorded in the file set in log_file ( in centos7, the default is /var/log/audit/audit.log ). If it’s not running, the audit messages will be in rsyslog ( store in /var/log/messages )

Or, send audit log to syslog or other programs which can be done by audit dispatcher ( audispd ) the audispd is a daemon which controls the audit dispatcher. It is normally started by the auditd daemon. The audispd daemon takes audit events and distributes them to the programs which want to analyze them in real time. Configuration of the auditd daemon is stored in

you can activate it in /etc/audisp/plugins.d/syslog.conf which centos includes this by default. But you need to enable it first because it’s disabled by default. Enable it by active = yes.

search audit log event with ausearch

ausearch -f /etc/ssh/sshd_config -i ausearch -m LOGIN --start today -i

comments powered by Disqus