Linux Security
    Linux Security
    Linux Security

    Verifying Linux Server Security: What Every Admin Needs to Know - Auditing

    Date 02 Dec 2020
    9848
    Posted By Brittany Day

    Article Index

     

    Auditing

    Conducting frequent audits is an essential part of establishing the security of your Linux servers. System auditing enables administrators to discover security bugs, breaches or policy violations on their systems. In this section, we’ll take a look at the Linux Auditing System (AuditD) and the insight that this valuable feature can provide administrators into the security, stability and functionality of their systems. 

    What is the Linux Auditing System?

    The Linux Auditing System (AuditD) is a native feature to the Linux kernel that collects information on system activity to facilitate the investigation of potential security incidents. AduditD works on the kernel level - where it can oversee all system processes and activities - and uses the AuditD daemon to log what it finds. In most Linux distributions, AuditD is installed by default and runs automatically with the system. It logs information according to its auditing rules as well as any rules that have been added. AuditD monitors three categories of events: system calls, file access and select, pre-configured auditable events within the kernel. It enables administrators to audit activity using these categories of events including authentications, failed cryptographic operations, abnormal terminations, SELinux modification and program execution. When any of the audit rules in place is triggered, AuditD outputs a comprehensive record that can be used to investigate the incident.

    When implementing the Linux Auditing System, you will likely need to create some of your own rules. There are two types of rules that administrators can write: file system and system call rules. Other system activities including specific scripts executed, userland events and internal kernel behaviors that can be triggered independently of syscalls are out of the scope of AuditD. When writing rules, it is critical to remember that audit rules work on a “first match wins” basis. In other words, once audited activity matches a rule, no further rules will be evaluated. Thus, the order in which rules are written is of utmost importance.

    To view the audit records generated by a triggered rule, administrators can use the native ausearch and aureport utilities. Ausearch lets you search your audit log files for specific criteria, while aureport creates summary reports from the audit log files. 

    It is crucial for administrators to ensure that AuditD is properly configured and hardened to provide genuine, reliable information. Begin by checking that AuditD’s configuration is immutable using the control option “-e 2”. Then, confirm that logs are stored in a centralized, secure location - ideally a server dedicated to accepting remote syslog events.

    AuditD is a very useful - and free - feature for facilitating investigations, especially historical investigations in response to an incident. That being said, AuditD does have some serious weaknesses that should be taken into consideration - namely, bugginess, excessive overhead, lack of granularity, missing container support and onerous output.

    Learn how to install and configure AuditD, create rules, and view the AuditD log file in this TechRepublic tutorial.

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.