Key Points About Enabling Linux Auditing

1. Why Enable Linux Auditing?

• Track changes to users, groups, files, and system configurations.
• Detect unauthorized access (e.g., SSH brute-force attacks, privilege abuse).
• Meet compliance standards (GDPR, HIPAA, PCI DSS) through audit trails.

2. Critical Audit Areas in Linux

• Logon Events:
  • Monitor SSH logins (successful/failed) and sudo/su activity.
  • Track console and remote session access.
• Account Management:
  • Audit user/group changes (e.g., useradd, usermod, /etc/passwd, /etc/group).
• File & Configuration Changes:
  • Monitor critical files (e.g., /etc/shadow, /etc/sudoers, /etc/ssh/sshd_config).
• Privilege Escalation:
  • Log sudo commands, setuid/setgid usage, and kernel module changes.

3. Steps to Enable Auditing in Linux
A. Configure Audit Policies

• Use auditd (Linux Audit Framework):

  # Monitor SSH logins
  auditctl -a exit,always -F arch=b64 -S connect -F a2=22 -k ssh_access
  
  # Track changes to user/group files
  auditctl -w /etc/passwd -p wa -k user_changes
  auditctl -w /etc/group -p wa -k group_changes
  

B. Object & File Auditing

• Monitor sensitive directories or files:

  auditctl -w /etc/sudoers.d/ -p wa -k sudo_config
  auditctl -w /var/log/ -p wa -k log_tampering
  

C. Monitor Logs

• Use journalctl and log files:

  # Check SSH login attempts
  journalctl -u sshd | grep "Failed password"
  
  # View auditd logs for custom rules
  ausearch -k ssh_access -i
  

  • Key logs:
    • /var/log/auth.log (authentication events).
    • /var/log/audit/audit.log (auditd events).

4. Best Practices

• Centralize Logs:
  • Forward logs to a SIEM (e.g., Splunk, ELK Stack) using rsyslog or syslog-ng.

  # rsyslog config to send logs to a SIEM
  *.* @<SIEM_IP>:514
  

• Monitor Privileged Accounts:
  • Log all root activity and sudo commands.
  • Use tools like sudo-logs or auditd to track privilege escalation.
• Reduce Noise:
  • Filter logs for high-risk events (e.g., FAILED su, sudo failures, /etc/passwd modifications).
• Automate Compliance:
  • Use tools like Lynis, OpenSCAP, or Wazuh for automated audits.

5. Compliance & Threat Detection

• GDPR/HIPAA: Audit access to sensitive files (e.g., databases, configuration files).
• PCI DSS: Log all root actions and network access to payment data.
• Detect Threats:
  • Use fail2ban to block brute-force SSH attempts.
  • Alert on unusual activity (e.g., midnight root logins, unauthorized cron jobs).

6. Tools for Linux Auditing

• Native Tools: auditd, journalctl, rsyslog.
• SIEM Integration: Splunk Forwarder, Elasticsearch, Graylog.
• Compliance: Lynis (hardening), OpenSCAP (CIS benchmarks).
• Hybrid AD Environments:
  • Audit AD/LDAP integrations via /var/log/sssd/sssd.log (if using sssd or winbind).

Summary

Linux auditing ensures security and compliance by tracking logins, user/group changes, and critical file activity. Use auditd, centralized logging, and compliance tools to mirror AD-like auditing principles. In hybrid environments, correlate Linux logs with AD logs via SIEM for full visibility.