This guide will walk you through the process of installing auditd on Linux systems and configuring it with the rules provided by Neo23x0.
- Root or sudo access to the Linux system
- Internet connection to download necessary files
The installation process may vary depending on your Linux distribution. Here are instructions for common distributions:
sudo apt update
sudo apt install auditd audispd-plugins
sudo yum install audit audit-libs
sudo dnf install audit
- Open a terminal window.
- Download the audit rules file:
sudo curl -o /etc/audit/rules.d/audit.rules https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
-
Open the main auditd configuration file:
sudo nano /etc/audit/auditd.conf
-
Review and adjust the settings as needed.
-
Save and close the file (in nano, press Ctrl+X, then Y, then Enter).
-
Load the new audit rules:
sudo auditctl -R /etc/audit/rules.d/audit.rules
-
Restart the auditd service:
sudo service auditd restart
-
Check if auditd is running:
sudo systemctl status auditd
-
Verify that the rules have been loaded:
sudo auditctl -l
-
Perform some actions that should trigger audit logs (e.g., accessing sensitive files, running specific commands).
-
Check the audit log for new entries:
sudo ausearch -ts recent
To update the audit rules in the future:
- Download the latest
audit.rules
file from the Neo23x0 GitHub repository (or somewhere else). - Replace the existing file:
sudo curl -o /etc/audit/rules.d/audit.rules https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
- Reload the rules and restart auditd:
sudo auditctl -R /etc/audit/rules.d/audit.rules sudo service auditd restart
Adjust rules as needed to meet compliance requirements.
You can now install the auditd elastic integration to collect auditd logs.
For a more streamlined installation process, you can use the following bash script:
#!/bin/bash
set -e
# Ensure the script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run as root."
exit 1
fi
# Inform the user that auditd is being installed
echo "Installing and configuring auditd, please wait..."
# Determine the OS ID
if [ -f /etc/os-release ]; then
. /etc/os-release
OS_ID="$ID"
else
echo "Cannot determine the operating system."
exit 1
fi
# Install auditd based on the OS
case "$OS_ID" in
ubuntu|debian)
apt update > /dev/null 2>&1
apt install -y auditd audispd-plugins > /dev/null 2>&1
;;
centos|rhel)
yum install -y audit > /dev/null 2>&1
;;
fedora)
dnf install -y audit > /dev/null 2>&1
;;
*)
echo "Unsupported OS: $OS_ID"
exit 1
;;
esac
# Create the rules directory if it doesn't exist
mkdir -p /etc/audit/rules.d > /dev/null 2>&1
# Download the audit rules
curl -o /etc/audit/rules.d/audit.rules https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules > /dev/null 2>&1
# Load the audit rules, suppressing output and errors
augenrules --load > /dev/null 2>&1
# Restart the auditd service, suppressing output
systemctl restart auditd > /dev/null 2>&1
# Notify the user of successful completion
echo "auditd installed and rules applied successfully."
To use this script:
- Save it to a file, e.g.,
install_auditd.sh
- Make it executable:
chmod +x install_auditd.sh
- Run it with sudo:
sudo ./install_auditd.sh