auditd
Definition
auditd is the userspace component of the Linux Auditing System, responsible for writing audit records to disk. It provides a way to track security-relevant information on a system, such as system calls, file accesses, and user logins. This tool is essential for compliance with various security standards and helps in forensic investigations by maintaining a detailed log of system activities.
Secure Settings Example
# /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Insecure Settings Example
# /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = NOLOG
flush = NONE
max_log_file_action = IGNORE
space_left_action = IGNORE
admin_space_left_action = IGNORE
disk_full_action = IGNORE
disk_error_action = IGNORE