Monitoring events with the Audit daemon

Watchful Spirit

The Audit daemon is a service that logs events on a Linux system. If you are interested in security-related messages, take a closer look at the Audit daemon. The audit framework described in this article is part of the Linux kernel and can therefore control access to a computer right down to the system call level. The Audit daemon can monitor all access to files, network ports, or other events. The popular security tool SELinux works with the same audit framework used by the Audit daemon.

Configuring Logging

You can set the rules for logging using the auditctl tool. Like all of the other tools mentioned here, it is part of the audit package that should be included in the software repository of your choice of Linux distribution. auditd running in userspace is notified about events that occur via the netlink protocol. The Audit daemon then writes the information to /var/log/audit/audit.log, and you can find the results via aureport and ausearch.

An event dispatcher is also part of the framework. This tool is a type of event multiplexer that can pass audit events on to another program (plugin) in real time. These plugins can be configured via files in the /etc/audisp/plugins.d/ directory.

For example, the /etc/audisp/plugins.d/af_unix.conf file is responsible for simply passing audit events to a Unix domain socket. This socket is used by the Setroubleshoot daemon to create easily readable messages from the raw SELinux logs. Intrusion detection and prevention systems also can draw on this interface to respond to audit events.

You can configure the auditd server via two files – auditd.conf (Listing 1) and audit.rules – in /etc/audit/. The config file specifies general

... comments powered by Disqus