auditd.conf - Linux
Overview
auditd.conf is a configuration file that defines audit rules for auditd
(the Linux audit daemon), specifying which system events and actions are logged and how.
Syntax
/etc/audit/auditd.conf
Options/Flags
- log_file (required): Path to the file where audit records are stored. Default:
/var/log/audit/audit.log
- max_log_file_action (required): Action to take when
log_file
reaches max size. Options: keep_logs, rotate, discard, syslog - max_log_file_size (optional): Maximum size (in bytes) of
log_file
. Default: 5 MB - num_log_files (optional): Number of log files to keep before rotating. Default: 5
- dispatcher (optional): Specifies the plugin or program that handles audit events. Default: "console_syslog"
- name (optional): Name of the rule. Used for identifying and debugging rules.
- audit_backlog_limit (optional): Limits the number of unhandled audit events in the backlog queue. Default: 1000
- max_restarted_events (optional): Maximum number of audit events that can fail to be sent. Default: 0 (unlimited)
- freq (optional): Interval (in milliseconds) between sending batches of audit events to the dispatcher. Default: 100
- async (optional): Enables asynchronous audit event handling. Default: false
- priority (optional): Sets the priority of audit events. Options: emergency, alert, critical, error, warning, notice, informational, debug
- rate_limit (optional): Specifies the maximum number of audit events per second. Default: 0 (no rate limit)
- decode_ruleset (optional): Enables decoding of the audit ruleset (currently only supported for PCI DSS ruleset). Default: false
- icons (optional): Enables audit event icon generation. Default: false
Examples
Example 1: Basic Audit Configuration
log_file = /var/log/audit/audit.log
max_log_file_action = rotate
max_log_file_size = 10M
num_log_files = 5
Example 2: Enable Asynchronous Handling
async = yes
Example 3: Set Priority Level
priority = 3
Common Issues
- Log file permissions: Ensure that the specified
log_file
has appropriate permissions to allowauditd
to write to it. - File descriptor limit: If audit events are not being logged, check the file descriptor limit of
auditd
and increase it if necessary. - Dispatcher failure: If audit events are not being handled, check the configuration of the dispatcher (e.g.,
console_syslog
) and ensure it is working properly.
Integration
auditd.conf can be integrated with other logging tools such as:
- rsyslog: To forward audit events to a centralized logging server.
- logrotate: To automatically rotate and compress audit logs.
Related Commands
- auditctl: Manage audit rules in kernel space.
- ausearch: Search audit log files.
- augenrules: Convert PCI DSS ruleset into
auditd.conf
format.