TL;DR

Auditd is a powerful tool for tracking security events on Debian 13 systems. It provides detailed logs of system calls and can help identify unauthorized access or changes. To get started with Auditd, follow these key steps:

  1. Install Auditd: Ensure Auditd is installed on your system.

    sudo apt update && sudo apt install auditd audispd-plugins
    
  2. Start and Enable Auditd: Activate the Auditd service to start logging events.

    sudo systemctl start auditd
    sudo systemctl enable auditd
    
  3. Configure Audit Rules: Define what events to monitor by editing the rules file. For example, to track changes to the /etc/passwd file:

    echo "-w /etc/passwd -p wa -k passwd_changes" | sudo tee -a /etc/audit/rules.d/audit.rules
    
  4. Restart Auditd: Apply the new rules by restarting the service.

    sudo systemctl restart auditd
    
  5. View Audit Logs: Use the ausearch command to query logs. For example, to find events related to the passwd_changes key:

    sudo ausearch -k passwd_changes
    

Cautions: Be mindful of the performance impact when monitoring a large number of events. Start with a few critical files or directories and expand as necessary. Regularly review and rotate logs to prevent disk space issues.

Safe Defaults: Always back up your current audit rules before making changes. Use the auditctl -l command to list current rules and ensure they are functioning as expected.

By following these steps, you can effectively utilize Auditd for enhanced security event tracking on your Debian 13 server.

Understanding /proc/sys/kernel/audit_enabled

Before diving into auditd configuration, it’s important to understand the kernel-level audit control: /proc/sys/kernel/audit_enabled. This kernel parameter controls whether the Linux audit system is active.

Checking Audit Status

To check if kernel auditing is enabled on your system:

cat /proc/sys/kernel/audit_enabled

The output values mean:

  • 0 = Auditing is disabled
  • 1 = Auditing is enabled (default when auditd is running)
  • 2 = Auditing is enabled and locked (cannot be changed until reboot)

Enabling Kernel Auditing

If auditing is disabled, you can enable it temporarily:

echo 1 | sudo tee /proc/sys/kernel/audit_enabled

To make this persistent across reboots, add to /etc/sysctl.conf:

echo "kernel.audit_enabled = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Locking Audit Configuration

For high-security environments, you can lock the audit configuration to prevent tampering:

echo 2 | sudo tee /proc/sys/kernel/audit_enabled

Caution: Once set to 2, the audit configuration cannot be changed until the system reboots. This prevents attackers from disabling auditing to cover their tracks.

Verifying Kernel Audit Support

To confirm your kernel has audit support compiled in:

grep CONFIG_AUDIT /boot/config-$(uname -r)

You should see CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=y for full audit functionality.

Introduction to Auditd

Auditd, the Linux Audit daemon, is a powerful tool designed to monitor and log system events. It provides a comprehensive framework for tracking security-related events on your Debian 13 server, allowing administrators to maintain a detailed audit trail of system activities. This capability is essential for compliance with security policies and regulations, as well as for forensic analysis in the event of a security breach.

By default, Auditd is not installed on Debian 13, so the first step is to install the package. You can do this using the following command:

sudo apt update && sudo apt install auditd audispd-plugins

Once installed, Auditd runs as a background service, collecting and storing logs of system calls, file access, and other critical events. The logs are stored in /var/log/audit/audit.log, which can be reviewed to identify suspicious activities.

To ensure that Auditd operates effectively, it is crucial to configure it properly. The configuration file is located at /etc/audit/auditd.conf. Here, you can set parameters such as the maximum log file size and the number of log files to retain. For example, to set a maximum log file size of 10MB and keep 5 rotated logs, you can modify the following lines:

max_log_file = 10
num_logs = 5

Caution is advised when configuring Auditd rules, as overly broad rules can lead to performance issues and excessive log generation. It is recommended to start with a minimal set of rules and gradually expand them based on your monitoring needs. For example, to monitor access to the /etc/passwd file, you can add the following rule:

sudo auditctl -w /etc/passwd -p rwxa -k passwd_changes

This command sets a watch on the file for read, write, execute, and attribute changes, tagging the events with the key passwd_changes. Always review your rules regularly to ensure they align with your security objectives while maintaining system performance.

Installation of Auditd

To install auditd on your Debian 13 server, follow these steps:

First, update your package index to ensure you have the latest information about available packages:

sudo apt update  # Update package index

Next, install the auditd package along with the audit utilities:

sudo apt install auditd audispd-plugins  # Install audit daemon and plugins

After installation, you can start the auditd service:

sudo systemctl start auditd  # Start the audit daemon

To ensure that auditd starts automatically on boot, enable the service:

sudo systemctl enable auditd  # Enable audit daemon on boot

By default, auditd will log events to /var/log/audit/audit.log. It’s crucial to configure the audit rules to capture relevant events. You can edit the rules file located at /etc/audit/rules.d/audit.rules. For example, to log all changes to the /etc/passwd file, add the following line:

-w /etc/passwd -p wa -k passwd_changes  # Watch for write and attribute changes

After modifying the rules, restart the auditd service to apply the changes:

sudo systemctl restart auditd  # Restart audit daemon to apply new rules

Caution: Be mindful of the volume of logs generated. Excessive logging can fill up disk space quickly. It’s advisable to monitor the log size and configure log rotation as needed. You can set up log rotation in /etc/logrotate.d/audit to manage the size of your audit logs effectively.

Finally, verify that auditd is running correctly and monitoring events:

sudo systemctl status auditd  # Check the status of the audit daemon

With these steps, you will have a functional auditd installation ready for tracking security events on your Debian 13 server.

Configuration of Auditd

To configure Auditd on your Debian 13 server, follow these steps to ensure effective monitoring of security events.

First, install the Auditd package if it is not already installed:

sudo apt update && sudo apt install auditd audispd-plugins

Once installed, you can start and enable the Auditd service:
sudo systemctl start auditd  # Start the Auditd service
sudo systemctl enable auditd  # Enable it to start on boot

Next, configure the Auditd rules to specify what events to monitor. The main configuration file is located at /etc/audit/audit.rules. It’s advisable to back up the original file before making changes:

sudo cp /etc/audit/audit.rules /etc/audit/audit.rules.bak  # Backup original rules

Edit the rules file:

sudo nano /etc/audit/audit.rules

Add rules to monitor critical files and directories. For example, to monitor changes to the /etc/passwd file, add:

-w /etc/passwd -p wa -k passwd_changes  # Watch for write and attribute changes

To monitor all commands executed by users, add:

-a always,exit -F arch=b64 -S execve -k exec_commands  # Log all executed commands

After editing, save and exit the file. Restart the Auditd service to apply the new rules:

sudo systemctl restart auditd  # Restart to apply changes

Caution: Be mindful of the performance impact when logging extensive events. Start with a few critical rules and gradually expand as needed. Always test your configuration in a safe environment before deploying it to production.

Finally, check the status of Auditd to ensure it is running correctly:

sudo systemctl status auditd  # Verify Auditd is active

Regularly review the logs located in /var/log/audit/audit.log to monitor for any suspicious activity.

Monitoring and Analyzing Audit Logs

To effectively monitor and analyze audit logs generated by auditd, you can utilize the ausearch and aureport tools, which are included with the audit package. These tools allow you to filter and summarize audit logs, making it easier to identify potential security incidents.

First, to search through the audit logs, use ausearch. For example, to find all events related to a specific user, you can run:

ausearch -ua username  # Replace 'username' with the actual username

This command will display all audit records associated with that user. You can also filter by event type, such as file access:

ausearch -f /path/to/file  # Replace with the actual file path

For a more comprehensive overview of the audit logs, aureport can be used to generate summary reports. To get a summary of all logged events, execute:

aureport  # Generates a summary report of all audit logs

To focus on specific types of events, such as login attempts, you can use:

aureport -l  # Lists all login events

Caution: Regularly monitoring audit logs is crucial for identifying unauthorized access or suspicious activities. Set up a cron job to automate log analysis, ensuring you receive timely alerts. For example, you can create a script that runs ausearch or aureport and sends the output via email.

Safe defaults for log retention should be configured in /etc/audit/auditd.conf. Ensure that the max_log_file is set to a reasonable size (e.g., max_log_file = 10 for 10MB) and that logs are rotated regularly to prevent disk space issues.

Finally, consider integrating your audit logs with a centralized logging solution for enhanced monitoring and analysis capabilities.

Setting Up Alerts for Security Events

To set up alerts for security events using auditd, you should use the audispd (audit dispatcher) plugin system rather than trying to execute scripts directly from audit rules. Audit rules only log events - alerting and custom actions require proper audispd plugins or external log processors.

First, ensure that you have the audispd-plugins package installed:

sudo apt update
sudo apt install audispd-plugins  # Install audit dispatcher plugins

Create a custom audispd plugin to handle alerts. First, create the plugin script:

sudo nano /usr/local/bin/audit_alerter.py

Add the following Python script that reads from stdin (as audispd plugins do):

#!/usr/bin/env python3
import sys
import json
import smtplib
from email.mime.text import MimeText
from datetime import datetime

def send_alert(event_data):
    """Send email alert for security events"""
    recipient = "[email protected]"
    subject = "Security Alert: Audit Event Detected"

    # Parse the audit event
    message = f"Security event detected at {datetime.now()}\n\nEvent details:\n{event_data}"

    # Send email (configure SMTP settings as needed)
    msg = MimeText(message)
    msg['Subject'] = subject
    msg['To'] = recipient

    # Note: Configure your SMTP server details
    print(f"ALERT: {message}")  # For testing, prints to logs

def main():
    """Main function to process audit events from stdin"""
    for line in sys.stdin:
        if 'passwd_changes' in line:  # Filter for specific events
            send_alert(line.strip())

if __name__ == "__main__":
    main()

Make the script executable:

sudo chmod +x /usr/local/bin/audit_alerter.py

Configure the audispd plugin by creating a configuration file:

sudo nano /etc/audit/plugins.d/audit_alerter.conf

Add the following configuration:

active = yes
direction = out
path = /usr/local/bin/audit_alerter.py
type = always
args =
format = string

Create your audit rules normally:

echo '-w /etc/passwd -p wa -k passwd_changes' | sudo tee -a /etc/audit/rules.d/audit.rules

Restart the audit daemon to load the new plugin:

sudo systemctl restart auditd

Alternative: External Log Processing

For centralized logging environments, configure audit logs to forward to a remote syslog server:

sudo nano /etc/audit/audisp-remote.conf

Configure remote forwarding:

remote_server = your-siem-server.com
port = 514

Enable the remote dispatcher:

sudo systemctl enable audisp-remote
sudo systemctl restart auditd

Caution: Audispd plugins run with audit privileges. Always test your plugins thoroughly and ensure they handle errors gracefully to avoid impacting audit logging.

Verification

To verify that Auditd is functioning correctly and capturing the desired events, you can perform several checks and analyses.

First, ensure that the Auditd service is running:

sudo systemctl status auditd  # Check the status of the Auditd service

If the service is not active, start it with:

sudo systemctl start auditd  # Start the Auditd service if it's not running

Next, confirm that the audit rules you configured are loaded correctly. You can list the current audit rules with:

sudo auditctl -l  # List all active audit rules

Review the output to ensure that the rules you intended to implement are present. If you need to modify or add rules, remember to do so carefully, as overly broad rules can generate excessive logs, impacting performance and storage.

To test if Auditd is capturing events as expected, you can perform a simple action that should trigger an audit log. For example, create a test file in a monitored directory:

touch /var/log/testfile  # Create a test file to trigger an audit event

Then, check the audit logs to see if the event was recorded:

sudo ausearch -f /var/log/testfile  # Search for audit logs related to the test file

You can also review the entire audit log for recent entries:

sudo ausearch -ts recent  # Display recent audit logs
  • How to Monitor File Integrity with AIDE - Learn to monitor file integrity on Debian 13 using AIDE with installation

Frequently Asked Questions

What does /proc/sys/kernel/audit_enabled do?

This file controls the Linux kernel audit subsystem. When set to 1, the kernel logs security-relevant events like file access, system calls, and authentication attempts. When 0, auditing is disabled.

How do I enable audit_enabled on Debian 13?

Install and enable the auditd service:

sudo apt install auditd
sudo systemctl enable --now auditd

The service automatically sets audit_enabled to 1.

Can I enable audit_enabled without auditd?

Not recommended. While you can manually write to /proc/sys/kernel/audit_enabled, the auditd daemon manages the audit system properly and ensures rules persist.

What’s the difference between audit_enabled and auditd?

audit_enabled is a kernel parameter that enables/disables the audit subsystem. auditd is the userspace daemon that manages audit rules, logs, and rotation.

Does enabling audit impact performance?

Minimal impact (<5% CPU overhead) with default rules. Excessive audit rules can impact performance. Monitor with:

sudo auditctl -l  # List current rules

Rollback Procedure

If you need to revert these changes:

1. Stop the Service

sudo systemctl stop auditd

2. Restore Configuration

## Restore from backup (create backups before making changes)
sudo cp /etc/[config_file].backup /etc/[config_file]

3. Restart Service

sudo systemctl restart auditd
sudo systemctl status auditd