Red Hat Summit7.3. Configuring the audit Service
The Audit daemon can be configured in the
/etc/audit/auditd.conf configuration file. This file consists of configuration parameters that modify the behavior of the Audit daemon. Any empty lines or any text following a hash sign (#) is ignored. See the auditd.conf(5) man page for a complete listing of all configuration parameters and their explanation.
7.3.1. Configuring auditd for a CAPP Environment
Copy linkLink copied to clipboard!
The default
auditd configuration should be suitable for most environments. However, if your environment has to meet the criteria set by the Controlled Access Protection Profile (CAPP), which is a part of the Common Criteria certification, the Audit daemon must be configured with the following settings:
- The directory that holds the Audit log files (usually
/var/log/audit/) should reside on a separate partition. This prevents other processes from consuming space in this directory, and provides accurate detection of the remaining space for the Audit daemon. - The
max_log_fileparameter, which specifies the maximum size of a single Audit log file, must be set to make full use of the available space on the partition that holds the Audit log files. - The
max_log_file_actionparameter, which decides what action is taken once the limit set inmax_log_fileis reached, should be set tokeep_logsto prevent Audit log files from being overwritten. - The
space_leftparameter, which specifies the amount of free space left on the disk for which an action that is set in thespace_left_actionparameter is triggered, must be set to a number that gives the administrator enough time to respond and free up disk space. Thespace_leftvalue depends on the rate at which the Audit log files are generated. - It is recommended to set the
space_left_actionparameter toemailorexecwith an appropriate notification method. - The
admin_space_leftparameter, which specifies the absolute minimum amount of free space for which an action that is set in theadmin_space_left_actionparameter is triggered, must be set to a value that leaves enough space to log actions performed by the administrator. - The
admin_space_left_actionparameter must be set tosingleto put the system into single-user mode and allow the administrator to free up some disk space. - The
disk_full_actionparameter, which specifies an action that is triggered when no free space is available on the partition that holds the Audit log files, must be set tohaltorsingle. This ensures that the system is either shut down or operating in single-user mode when Audit can no longer log events. - The
disk_error_action, which specifies an action that is triggered in case an error is detected on the partition that holds the Audit log files, must be set tosyslog,single, orhalt, depending on your local security policies regarding the handling of hardware malfunctions. - The
flushconfiguration parameter must be set tosyncordata. These parameters assure that all Audit event data is fully synchronized with the log files on the disk.
The remaining configuration options should be set according to your local security policy.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}