fbpx
Back Arrow Back to All Integrations

Linux Auditd File Integrity Monitoring

Linux Auditd File Integrity Monitoring

Integrating Linux auditd With Blumira

Blumira’s modern cloud SIEM platform integrates with Linux auditd to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with Auditd will stream audit event logs to the Blumira service for automated threat detection and actionable response.

 

Get visibility, detect and respond to threats faster:

  • Monitor sensitive files and folders for unauthorized access
  • Meet and exceed CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, and STIG
  • Associate system changes with a userid
  • Get guided and actionable remediation playbooks for teams without security expertise

See how easy it is to set up Blumira with Linux Journald for log ingestion:

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Configure Log Forwarding for Linux Journald

Required Blumira Module: Logger

This article assumes you have already set up log ingestion for the actual Linux Operating System. If you haven’t set that up yet, head over to the integration documentation and set it up quickly – https://www.blumira.com/integration/linux/

Auditd Configuration for Log Forwarding

  1. Confirm auditd is installed by entering:auditctl -v
    1. Output similar to auditctl version 2.8.2 is expected
  2. If auditd is not installed, enter the following to install
    1. For Ubuntu: sudo apt install -y auditd audispd-plugins
    2. For CentOS: sudo yum install -y audit audispd-plugins
  3. Open /etc/audisp/plugins.d/syslog.conf with sudo and your preferred editor, change the option active to yes, the config should look like the following:# This file controls the configuration of the syslog plugin.
    # It simply takes events and writes them to syslog. The
    # arguments provided can be the default priority that you
    # want the events written with. And optionally, you can give
    # a second argument indicating the facility that you want events
    # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
    # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.
    active = yes
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_INFO
    format = string
  4. Open /etc/audit/auditd.conf with sudo and your preferred editor, replace log_format = RAW with log_format = ENRICHED, the config should look like the following:
    #
    # This file controls the configuration of the audit daemon
    #local_events = yes
    write_logs = yes
    log_file = /var/log/audit/audit.log
    log_group = root
    log_format = ENRICHED
    flush = INCREMENTAL_ASYNC
    freq = 50
    max_log_file = 8
    num_logs = 5
    priority_boost = 4
    disp_qos = lossy
    dispatcher = /sbin/audispd
    name_format = NONE
    ##name = mydomain
    max_log_file_action = ROTATE
    space_left = 75
    space_left_action = SYSLOG
    verify_email = yes
    action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = SUSPEND
    disk_full_action = SUSPEND
    disk_error_action = SUSPEND
    use_libwrap = yes
    ##tcp_listen_port = 60
    tcp_listen_queue = 5
    tcp_max_per_addr = 1
    ##tcp_client_ports = 1024-65535
    tcp_client_max_idle = 0
    enable_krb5 = no
    krb5_principal = auditd
    ##krb5_key_file = /etc/audit/audit.key
    distribute_network = no
  5. Reload/Restart Auditd (typically be entering: service auditd restart)
  6. Configure your watch folders and keys, as an example if I wanted to monitor all access to the billreyor home folder I would enter
    auditctl -w /home/billreyor -k reyor_watch
    echo “-D” > /etc/audit/rules.d/my.rules
    auditctl -l >> /etc/audit/rules.d/my.rules
    service auditd restart

No other options need to be changed in the auditd configuration for log forwarding. The auditd events will now flow into the rsyslogd syslog socket.

At this point the configuration is complete. The logs can also be found in /var/log/messages (or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/ that is handling linux log forwarding will automatically forward the logs.