🔍 Configuring System Auditing: Simple Guide

I’ll show you how to set up system auditing in Alpine Linux! This helps you track what happens on your system - who logs in, what files change, and more. Really useful for security and troubleshooting.

🤔 What is System Auditing?

System auditing records what happens on your computer. It’s like having a security camera that watches everything. You can see who did what and when they did it.

Why audit your system?

• Track security events
• Find out who changed files
• Debug system problems
• Meet compliance requirements
• Catch suspicious activity

🎯 What You Need

Before we start, you need:

• Alpine Linux installed
• Root or sudo access
• Some free disk space
• About 15 minutes

📋 Step 1: Install Audit Package

First, let’s install the audit system:

apk update
apk add audit

That was easy! Now let’s set it up.

📋 Step 2: Start the Audit Service

Enable and start the audit daemon:

# Add to startup
rc-update add auditd default

# Start it now
rc-service auditd start

# Check if it's running
rc-service auditd status

📋 Step 3: Basic Audit Rules

Let’s add some basic rules to track important stuff:

# Watch password file changes
auditctl -w /etc/passwd -p wa -k passwd_changes

# Watch shadow file
auditctl -w /etc/shadow -p wa -k shadow_changes

# Watch sudo commands
auditctl -w /usr/bin/sudo -p x -k sudo_commands

The -p flags mean:

• w = write
• a = attribute change
• x = execute
• r = read

📋 Step 4: Create Audit Rules File

Make rules permanent by creating a rules file:

vi /etc/audit/audit.rules

Add these rules:

# Delete all rules first
-D

# Set buffer size
-b 8192

# Watch authentication files
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes

# Watch sudo usage
-w /usr/bin/sudo -p x -k sudo_usage

# Watch SSH keys
-w /etc/ssh/sshd_config -p wa -k ssh_config

# Track user logins
-w /var/log/wtmp -p wa -k logins
-w /var/run/faillock -p wa -k failed_logins

📋 Step 5: View Audit Logs

Now let’s see what got logged:

# See recent events
ausearch -ts recent

# Find password changes
ausearch -k passwd_changes

# See sudo commands
ausearch -k sudo_usage

# Get today's events
ausearch -ts today

📋 Step 6: Create Reports

Generate useful reports:

# Summary report
aureport

# Authentication report
aureport -au

# File access report
aureport -f

# Failed events
aureport --failed

🎮 Practice Exercise

Let’s test our auditing:

1. Set up file monitoring
2. Make some changes
3. Check the logs
4. Generate a report

# Monitor a test directory
mkdir /tmp/audit-test
auditctl -w /tmp/audit-test -p rwxa -k test_dir

# Make changes
touch /tmp/audit-test/file1.txt
echo "test" > /tmp/audit-test/file2.txt
rm /tmp/audit-test/file1.txt

# Check what happened
ausearch -k test_dir

🚨 Troubleshooting Common Issues

Audit Service Won’t Start

If auditd won’t start:

# Check for errors
tail -f /var/log/messages

# Try manual start
/usr/sbin/auditd -f

# Check config
auditctl -s

Too Many Logs

Getting flooded with logs?

# Reduce logging
auditctl -e 0  # Disable temporarily

# Remove noisy rule
auditctl -W /path/to/file -p wa

# Restart with new rules
rc-service auditd restart

Can’t Find Events

Not seeing expected events?

# Check if auditing is enabled
auditctl -s

# List current rules
auditctl -l

# Search all logs
ausearch -i | grep keyword

💡 Pro Tips

Tip 1: Log Rotation

Set up log rotation:

vi /etc/audit/auditd.conf

# Set these values:
max_log_file = 10
num_logs = 5
max_log_file_action = ROTATE

Tip 2: Real-time Monitoring

Watch events as they happen:

# Follow audit log
tail -f /var/log/audit/audit.log

# Pretty format
ausearch -ts recent -i

Tip 3: Custom Alerts

Create email alerts:

# Create alert script
cat > /usr/local/bin/audit-alert.sh << 'EOF'
#!/bin/sh
ausearch -ts recent -k passwd_changes | mail -s "Password Changed!" [email protected]
EOF

chmod +x /usr/local/bin/audit-alert.sh

# Add to cron
echo "*/5 * * * * /usr/local/bin/audit-alert.sh" | crontab -

✅ Verification Steps

Let’s verify everything works:

# Check audit status
auditctl -s

# Test with sudo
sudo ls /root

# Check if logged
ausearch -k sudo_usage -ts recent

# Should show your command!

🏆 What You Learned

Great job! You can now:

• ✅ Install audit system
• ✅ Create audit rules
• ✅ Monitor file changes
• ✅ Track user activity
• ✅ Generate security reports

Your system is much more secure now!

🎯 What’s Next?

Now that you have auditing set up, try:

• Creating custom audit reports
• Setting up SIEM integration
• Learning about SELinux auditing
• Exploring forensic analysis

Remember, auditing helps you sleep better at night. You’ll know exactly what happened if something goes wrong. I’ve caught many issues this way!

Stay secure! 🛡️