auditd.conf - Linux

Overview

auditd.conf is a configuration file that defines audit rules for auditd (the Linux audit daemon), specifying which system events and actions are logged and how.

Syntax

/etc/audit/auditd.conf

Options/Flags

  • log_file (required): Path to the file where audit records are stored. Default: /var/log/audit/audit.log
  • max_log_file_action (required): Action to take when log_file reaches max size. Options: keep_logs, rotate, discard, syslog
  • max_log_file_size (optional): Maximum size (in bytes) of log_file. Default: 5 MB
  • num_log_files (optional): Number of log files to keep before rotating. Default: 5
  • dispatcher (optional): Specifies the plugin or program that handles audit events. Default: "console_syslog"
  • name (optional): Name of the rule. Used for identifying and debugging rules.
  • audit_backlog_limit (optional): Limits the number of unhandled audit events in the backlog queue. Default: 1000
  • max_restarted_events (optional): Maximum number of audit events that can fail to be sent. Default: 0 (unlimited)
  • freq (optional): Interval (in milliseconds) between sending batches of audit events to the dispatcher. Default: 100
  • async (optional): Enables asynchronous audit event handling. Default: false
  • priority (optional): Sets the priority of audit events. Options: emergency, alert, critical, error, warning, notice, informational, debug
  • rate_limit (optional): Specifies the maximum number of audit events per second. Default: 0 (no rate limit)
  • decode_ruleset (optional): Enables decoding of the audit ruleset (currently only supported for PCI DSS ruleset). Default: false
  • icons (optional): Enables audit event icon generation. Default: false

Examples

Example 1: Basic Audit Configuration

log_file = /var/log/audit/audit.log
max_log_file_action = rotate
max_log_file_size = 10M
num_log_files = 5

Example 2: Enable Asynchronous Handling

async = yes

Example 3: Set Priority Level

priority = 3

Common Issues

  • Log file permissions: Ensure that the specified log_file has appropriate permissions to allow auditd to write to it.
  • File descriptor limit: If audit events are not being logged, check the file descriptor limit of auditd and increase it if necessary.
  • Dispatcher failure: If audit events are not being handled, check the configuration of the dispatcher (e.g., console_syslog) and ensure it is working properly.

Integration

auditd.conf can be integrated with other logging tools such as:

  • rsyslog: To forward audit events to a centralized logging server.
  • logrotate: To automatically rotate and compress audit logs.

Related Commands

  • auditctl: Manage audit rules in kernel space.
  • ausearch: Search audit log files.
  • augenrules: Convert PCI DSS ruleset into auditd.conf format.