linux:auditing
Differences
This shows you the differences between two versions of the page.
|
linux:auditing [2024/06/26 17:37] manu created |
linux:auditing [2024/06/26 17:38] (current) manu |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| Check if audit is OK at boot | Check if audit is OK at boot | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | # grubby --info=ALL | grep -Po '\baudit=1\b' | + | [root@linux01 ~]# grubby --info=ALL | grep -Po '\baudit=1\b' |
| audit=1 | audit=1 | ||
| </cli> | </cli> | ||
| Line 18: | Line 18: | ||
| Else | Else | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | # grubby --update-kernel ALL --args 'audit=1' | + | [root@linux01 ~]# grubby --update-kernel ALL --args 'audit=1' |
| </cli> | </cli> | ||
| During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. Recommended that this value be 8192 or larger. | During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. Recommended that this value be 8192 or larger. | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | # grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b" | + | [root@linux01 ~]# grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b" |
| audit_backlog_limit=<BACKLOG SIZE> | audit_backlog_limit=<BACKLOG SIZE> | ||
| </cli> | </cli> | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | # grubby --update-kernel ALL --args 'audit_backlog_limit=8192' | + | [root@linux01 ~]# grubby --update-kernel ALL --args 'audit_backlog_limit=8192' |
| </cli> | </cli> | ||
| Line 35: | Line 35: | ||
| Activate auditd service | Activate auditd service | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | # systemctl --now enable audit | + | [root@linux01 ~]# systemctl --now enable audit |
| </cli> | </cli> | ||
| Cehck log size and rotation | Cehck log size and rotation | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | [root@tlntemp901 ~]# cat /etc/audit/auditd.conf | + | [root@linux01 ~]# cat /etc/audit/auditd.conf |
| max_log_file = 8 | max_log_file = 8 | ||
| num_logs = 5 | num_logs = 5 | ||
| Line 48: | Line 48: | ||
| List rules | List rules | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | [root@tlntemp901 ~]# auditctl -l | + | [root@linux01 ~]# auditctl -l |
| No rules | No rules | ||
| </cli> | </cli> | ||
| Line 54: | Line 54: | ||
| List parameters | List parameters | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | [root@tlntemp901 ~]# auditctl -s | + | [root@linux01 ~]# auditctl -s |
| enabled 1 | enabled 1 | ||
| failure 1 | failure 1 | ||
linux/auditing.1719416233.txt.gz ยท Last modified: 2024/06/26 17:37 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
