Skip to content

How to enable the Audit service for Linux

1.1 To enable auditd on Debian/Ubuntu based systems

sudo apt install -y auditd audispd-plugins

1.2 To install on RedHat/Centos based systems

yum install audispd-plugins

2.Configure a minimum predefined rule set

echo '-w /etc/passwd -p wa -k password_changes\
-w /etc/groups -p wa -k groups_changes\
-w /etc/ -pa -k configuration_changes' > /etc/audit/rules.d/cq.rules

3.Forward all logs via auditsp to syslog

nano /etc/audisp/plugins.d/syslog.conf
active = yes

4.Restart audit service

systemctl restart auditd.service

5.Verify that local machine syslog forwards to CQ Data Server

Once configured, start the service to collect Audit information and store it in the log files, using the following command as the root user to start auditd:

# service auditd start

Other actions can be performed on auditd using the service auditd action command, where action can be one of the following:

  • stop: stops auditd
  • restart: restarts auditd
  • reload or force-reload: reloads auditd configuration from the /etc/audit/auditd.conf file
  • rotate: rotates log files in /var/log/audit/ directory
  • resume: resumes logging of audit events after it has been previously suspended
  • condrestart or try-restart: restarts auditd only if it is already running
  • status: displays the running status of auditd