Skip to main content
LPIC-3 Exam 303

Installing the Linux Audit System on Ubuntu 18.04

By August 22, 2020September 12th, 2022No Comments
Linux Audit System

The Linux Audit System is a great facility but is not install on Ubuntu be default. As we have seen, previously, CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though,  this is probably something you would want to install and we step you through the process here. The required packages are included in the standard Unbuntu repos and we can install the Linux Audit System on Ubuntu 18.04 with the following command:

Installing the Ubuntu Linux Audit System

$ sudo apt install -y auditd audispd-plugins

The installation of the package, as is the case mostly with Debian packages, will start the auditd service and add the plugins so we can talk directory with the service. However, unlike the service on CentOS 7 it is possible to stop the service, if required, with systemctl. We can examine how this is done by reading the unit file for the auditd service. This is easy with the command systemctl. To list the contents of the service file we can systemctl on both CentOS and Ubuntu, first we list the CentOS file:

$ systemctl cat auditd

The service unit file on CentOS 7:

# /usr/lib/systemd/system/auditd.service
[Unit]Description=Security Auditing Service DefaultDependencies=no ## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
[Service] Type=forking PIDFile=/var/run/auditd.pid ExecStart=/sbin/auditd ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ## and comment/delete the next line and uncomment the auditctl line. ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
[Install] WantedBy=multi-user.target

It is the RefuseManualStop directive that disallows the restart in CentOS 7.

Compare this to the unit file in Ubuntu 18.04:

# /lib/systemd/system/auditd.service
[Unit]Description=Security Auditing Service DefaultDependencies=no After=local-fs.target systemd-tmpfiles-setup.service Conflicts=shutdown.target Before=sysinit.target shutdown.target ConditionKernelCommandLine=!audit=0
[Service] ExecStart=/sbin/auditd -n ## To use augenrules, copy this file to /etc/systemd/system/auditd.service ## and uncomment the next line and delete/comment out the auditctl line. ## Then copy existing rules to /etc/audit/rules.d/ ## Not doing this last step can cause loss of existing rules #ExecStartPost=-/sbin/augenrules --load
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID
[Install] WantedBy=multi-user.target

 

If we needed the same behaviour on Ubuntu as we have in CentOS, it would be easy to edit the Ubuntu file adding the line that we need. RefuseManualStop=yes

We can also see that in CentOS 7 we make use of augenrules and the /etc/audit/rules.d/ directory, whereas on Ubuntu we use just the single file /etc/audit/audit.rules. In both systems this is configurable in the service unit file.

Other than this we will find the services the same and equally useful in tracking exactly who did what on the system . The /var/log/audit/audit.log containing the auid or Actual User ID of any account that is using sudo -i or su to gain an interactive root shell.