7.3. Configuring the audit Service
The Audit daemon can be configured in the
/etc/audit/auditd.conffile. This file consists of configuration parameters that modify the behavior of the Audit daemon. Empty lines and text following a hash sign (
#) are ignored. For further details, see the auditd.conf(5) man page.
auditd for a Secure Environment
auditdconfiguration should be suitable for most environments. However, if your environment has to meet strict security policies, the following settings are suggested for the Audit daemon configuration in the
- The directory that holds the Audit log files (usually
/var/log/audit/) should reside on a separate mount point. This prevents other processes from consuming space in this directory, and provides accurate detection of the remaining space for the Audit daemon.
- Specifies the maximum size of a single Audit log file, must be set to make full use of the available space on the partition that holds the Audit log files.
- Decides what action is taken once the limit set in
max_log_fileis reached, should be set to
keep_logsto prevent Audit log files from being overwritten.
- Specifies the amount of free space left on the disk for which an action that is set in the
space_left_actionparameter is triggered. Must be set to a number that gives the administrator enough time to respond and free up disk space. The
space_leftvalue depends on the rate at which the Audit log files are generated.
- It is recommended to set the
execwith an appropriate notification method.
- Specifies the absolute minimum amount of free space for which an action that is set in the
admin_space_left_actionparameter is triggered, must be set to a value that leaves enough space to log actions performed by the administrator.
- Should be set to
singleto put the system into single-user mode and allow the administrator to free up some disk space.
- Specifies an action that is triggered when no free space is available on the partition that holds the Audit log files, must be set to
single. This ensures that the system is either shut down or operating in single-user mode when Audit can no longer log events.
- Specifies an action that is triggered in case an error is detected on the partition that holds the Audit log files, must be set to
halt, depending on your local security policies regarding the handling of hardware malfunctions.
- Should be set to
incremental_async. It works in combination with the
freqparameter, which determines how many records can be sent to the disk before forcing a hard synchronization with the hard drive. The
freqparameter should be set to
100. These parameters assure that Audit event data is synchronized with the log files on the disk while keeping good performance for bursts of activity.
The remaining configuration options should be set according to your local security policy.