0

Disclaimer: I'm not an accredited nor very experienced sysadmin but have been tasked with some sysadmin responsibilities

Task: Find a way to log all account management activities (e.g., account creation, modification, deletion, etc.) on an Ubuntu 16.04 LTS server and retain the logging information for at least 6 months.

Details:

  • The previous sysadmin had installed auditd to the system as a first step in solving this issue.

    When running:

    sudo systemctl status auditd.service

    systemd spits back that the service is successfully running and listening for events. It is my understanding that this package (auditd) is what I need to accomplish the task. The service seems to already be running and logging so where can I find and retain the log files for 6 months?

  • The file "/var/log/audit/audit.log" exists and the file is populated with audit information

  • Reading more information online about how Auditd works, I suspect the solution may be in configuring how the audit log is Rotated. I do not fully understand how rotations work but I believe log files are being Rotated when the file size reaches a certain limit and not by how much time has elapsed. I think I can configure Rotations by altering the file "/etc/audit/auditd.conf".

So, knowing these details (please ask for more information if you need it), how may I go about accomplishing the Task?

Many thanks for all the help in advance!

repr0
  • 1
  • 1
  • 2

1 Answers1

0

I'd use the auditd configuration steps from here: https://access.redhat.com/solutions/661603

omitting the cron part and instead using logrotate, its compression feature, and the time based retention settings. For details see man logtotate.

E.g. compress, monthly, postrotate (with command from above solution), and rotate 5.

Be careful with the interval and rotate setup, the example would lead to situations where just approx. 150 days are stored. Depending on your requirements daily/weekly with rotate 180/30 could be better.

hargut
  • 3,908
  • 7
  • 10
  • Ah, logrotate is very interesting! I've just gone through the man pages--I have a couple questions. 1) When you say "postrotate (w/ command from above solution)" do you mean the command "kill -HUP $(pidof auditd)"? 2) I see that logrotate uses a configuration files to operate. How do I link "logrotate" to use my config files? My best guess would be something like: "logrotate myconfig.conf". Thanks a lot for the response! – repr0 Oct 09 '18 at 19:22
  • Yes, I meant that command. You can also check the option copytruncate instead of the postrotate. Depending on the size of the logfiles and the rotate interval this option will use more disk space during rotation. – hargut Oct 09 '18 at 19:59
  • Typically logrotate is called via cron, but on most of the current distributions logrotate is anyways active. Simply adding the file for your audit logs should be sufficient. You can check /etc/cron* and should find entries that run logrotate. – hargut Oct 09 '18 at 20:03
  • To manually trigger logrotate use `logrotate -df` and the according logrotate config. – hargut Oct 09 '18 at 20:04