Wednesday, October 1, 2025

Configure Audit logs & log Retaintion in Production VMs

 

Install the required packages

sudo apt install -y auditd audispd-plugins -y

sudo systemctl enable auditd

sudo systemctl start auditd

sudo vi /etc/audit/rules.d/hardening.rules


#Authentication Events
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/gshadow -p wa -k gshadow_changes


#Privilege Escalation (e.g., sudo)
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_includes


#System Configuration Changes
-w /etc/hostname -p wa -k hostname_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/network/ -p wa -k network_config_changes
-w /etc/resolv.conf -p wa -k dns_config


#Kernel Modules Changes
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules


#Monitoring Use of chmod, chown, etc.
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchown -k perm_mod


#File/Directory Monitoring (Sensitive paths like etc and the other application path)
-w /etc/ssh/sshd_config -p wa -k ssh_config
#-w /opt/ -p wa -k opt_changes


#Execution of Binaries which needs to be monitored specifically
-a always,exit -F path=/usr/bin/nc -F perm=x -F auid>=1000 -F auid!=4294967295 -k nc_exec
-a always,exit -F path=/usr/bin/sh -F perm=x -F auid>=1000 -F auid!=4294967295 -k sh_exec
-a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=1000 -F auid!=4294967295 -k bash_exec


#Access to Credential Files
-w /etc/securetty -p wa -k securetty_changes
-w /var/log/lastlog -p wa -k login_logs


#Audit Auditd Itself
-w /etc/audit/ -p wa -k audit_config
-w /etc/audit/rules.d/ -p wa -k audit_rules

sudo augenrules --load

sudo systemctl restart auditd

Configure log rotate 

sudo vi /etc/logrotate.d/rsyslog


/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        su root syslog
        weekly
        size 15M
        rotate 13
        maxage 90
        missingok
        notifempty
        create 0640 syslog adm
        compress
        delaycompress
        sharedscripts
        prerotate
                # Remove append-only so rotation can happen
                chattr -a /var/log/syslog 2>/dev/null || true
                chattr -a /var/log/auth.log 2>/dev/null || true
        endscript
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
                # Reapply append-only after rotation
                chattr +a /var/log/syslog 2>/dev/null || true
                chattr +a /var/log/auth.log 2>/dev/null || true
        endscript
}

/var/log/audit/audit.log {
        su root adm
        daily
        size 15M
        rotate 13
        maxage 90
        missingok
        notifempty
        create 0640 root adm
        compress
        delaycompress
        sharedscripts
        prerotate
                # Remove append-only so rotation can happen
                chattr -a /var/log/audit/audit.log 2>/dev/null || true
        endscript
        postrotate
                # Signal auditd to reopen logs safely
                invoke-rc.d auditd rotate >/dev/null 2>&1 || true
                # Reapply append-only after rotation
                chattr +a /var/log/audit/audit.log 2>/dev/null || true
        endscript
}

sudo chown syslog:adm /var/log/auth.log /var/log/syslog

sudo chmod 640 /var/log/auth.log /var/log/syslog

sudo chattr +a /var/log/syslog

sudo chattr +a /var/log/auth.log

sudo chattr +a /var/log/audit/audit.log

sudo systemctl restart rsyslog

sudo logrotate --debug /etc/logrotate.d/rsyslog  

sudo logrotate -f /etc/logrotate.d/rsyslog       

sudo ls -lh /var/log/{auth.log,syslog,audit/}    

sudo lsattr /var/log/{auth.log,syslog,audit/audit.log}   


Check Log rotate timer:

sudo systemctl status logrotate.timer



To check and find the audit related logs you can use the below filters. You can use the filters created in /etc/audit/rules.d/hardening.rules file.


Search logs by Key: 

sudo ausearch -k exec_log

Search logs by Username: 
sudo ausearch -k exec_log -ua vishal.rajput

Search logs by root Users:
sudo ausearch -k exec_log -ua 0

No comments:

Post a Comment