auditd Compatibility Mode for Linux Assets
NOTE - Increased log size
auditd compatibility mode results in larger
audit.log files. As a consequence, the performance and bandwidth usage of your asset could be affected during log collection.
If you are an InsightIDR subscriber, normal deployments of the Insight Agent require the
auditd service to be present, but disabled on your target Linux assets. If your organization requires that
auditd be enabled at all times, you can configure and implement
auditd compatibility mode to satisfy this requirement.
This procedure involves merging the edits shown in this article to the following
audit service files:
Additionally, you must create a file in the agent installation directory to manually enable
auditd compatibility mode.
Your Linux hosts must meet the following requirements if you intend to implement
auditd compatibility mode:
- Your installed Insight Agent must be on version 184.108.40.206 or later.
audispdbuilt-in plugin must be available and unused.
af_unixcan only take a single client, the plugin must be available for the sole use of the compatibility mode.
auditdmust be installed, but disabled.
- You will restart the
auditdservice after merging the necessary edits to the
- You will restart the
Before you begin, run the following command to verify that the
auditd service is present, but stopped:
1service auditd status
After verifying that the
auditd service is stopped, proceed to the configuration file modification steps.
Configuration File Modifications
Your configuration files must follow the samples shown in these sections.
NOTE - augenrules merge behavior
Be aware that the contents of
rules.d merges with
audit.rules if the
augenrules script is enabled.
Since this can ultimately affect the contents of your
audit.rules file in a way that is inconsistent with the requirements of the
auditd compatibility mode, ensure that
augenrules is disabled before proceeding.
1# This file contains the auditctl rules that are loaded2# whenever the audit daemon is started via the initscripts.3# The rules are simply the parameters that would be passed4# to auditctl.56# First rule - delete all7-D89# Increase the buffers to survive stress events.10# Make this bigger for busy systems11-b 81921213# DO NOT BLOCK THE FOLLOWING EVENTS14# USER_AUTH15# USER_START16# USER_END17# USER_LOGIN18# USER_LOGOUT19# ADD_USER20# DEL_USER21# ADD_GROUP22# DEL_GROUP23# SERVICE_START24# SERVICE_STOP25# SYSCALL26# EXECVE27282930# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems31-a always,exit -F arch=b64 -S execve -F key=execve3233# Feel free to add additional rules below this line. See auditctl man page34
-a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed.
1#2# This file controls the configuration of the audit event3# dispatcher daemon, audispd.4#56q_depth = 81927overflow_action = SYSLOG8priority_boost = 49max_restarts = 1010name_format = HOSTNAME
1# This file controls the configuration of the2# af_unix socket plugin. It simply takes events3# and writes them to a unix domain socket. This4# plugin can take 2 arguments, the path for the5# socket and the socket permissions in octal.67active = yes8direction = out9path = builtin_af_unix10type = builtin11args = 0600 /var/run/audispd_events12format = binary
After completing these modifications, start the
auditd service with the following command:
1service auditd start
Next, verify that you have configured the rules correctly with the following command:
Although different kernel versions may have minor differences in output, your command results should appear similar to the following:
1root@ubuntu:~# auditctl -l2-a always,exit -F arch=b64 -S execve -F key=execve
Finally, modify the agent on your Linux asset to complete the procedure:
- Navigate to your
- Create a new file and name it
- Open the file with the editing tool of your choice and add the following line:
- Save and close the file.
- Restart the agent service so that the compatibility mode can take effect.