====== Enable auditing ======

===== Prerequisite =====

Before starting audit, create a dedicated filesystem for /var/log/audit (minimum 1GB)

===== Audit for bootloader =====

Configure grub2 so that processes that are capable of being audited can be audited 
even if they start up prior to auditd startup

Check if audit is OK at boot
<cli prompt='#'>
[root@linux01 ~]# grubby --info=ALL | grep -Po '\baudit=1\b'
audit=1
</cli>

Else
<cli prompt='#'>
[root@linux01 ~]# grubby --update-kernel ALL --args 'audit=1'
</cli>

During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. Recommended that this value be 8192 or larger.
<cli prompt='#'>
[root@linux01 ~]# grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b"
audit_backlog_limit=<BACKLOG SIZE>
</cli>

<cli prompt='#'>
[root@linux01 ~]# grubby --update-kernel ALL --args 'audit_backlog_limit=8192'
</cli>

===== Start and configure audit =====

Activate auditd service
<cli prompt='#'>
[root@linux01 ~]# systemctl --now enable audit
</cli>

Cehck log size and rotation
<cli prompt='#'>
[root@linux01 ~]# cat  /etc/audit/auditd.conf
max_log_file = 8
num_logs = 5
...
</cli>

List rules
<cli prompt='#'>
[root@linux01 ~]# auditctl -l
No rules
</cli>

List parameters
<cli prompt='#'>
[root@linux01 ~]# auditctl -s
enabled 1
failure 1
pid 1002
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
loginuid_immutable 0 unlocked
</cli>