auditd Compatibility Mode for Linux Assets

NOTE - Increased log size

Implementing this auditd compatibility mode results in larger audit.log files. As a consequence, the performance and bandwidth usage of your asset could be affected during log collection.

If you are an InsightIDR subscriber, normal deployments of the Insight Agent require the auditd service to be present, but disabled on your target Linux assets. If your organization requires that auditd be enabled at all times, you can configure and implement auditd compatibility mode to satisfy this requirement.

Procedure Overview

This procedure involves merging the edits shown in this article to the following audit service files:

  • audit.rules
  • audispd.conf
  • af_unix.conf

Additionally, you must create a file in the agent installation directory to manually enable auditd compatibility mode.

Requirements

Your Linux hosts must meet the following requirements if you intend to implement auditd compatibility mode:

  • Your installed Insight Agent must be on version 2.5.0.3 or later.
  • The af_unix audispd built-in plugin must be available and unused.
    • Since af_unix can only take a single client, the plugin must be available for the sole use of the compatibility mode.
  • auditd must be installed, but disabled.
    • You will restart the auditd service after merging the necessary edits to the auditd service files.

Configuration Steps

Before you begin, run the following command to verify that the auditd service is present, but stopped:

1
service auditd status

After verifying that the auditd service is stopped, proceed to the configuration file modification steps.

Configuration File Modifications

Your configuration files must follow the samples shown in these sections.

/etc/audit/audit.rules

NOTE - augenrules merge behavior

Be aware that the contents of rules.d merges with audit.rules if the augenrules script is enabled.

Since this can ultimately affect the contents of your audit.rules file in a way that is inconsistent with the requirements of the auditd compatibility mode, ensure that augenrules is disabled before proceeding.

text
1
# This file contains the auditctl rules that are loaded
2
# whenever the audit daemon is started via the initscripts.
3
# The rules are simply the parameters that would be passed
4
# to auditctl.
5
6
# First rule - delete all
7
-D
8
9
# Increase the buffers to survive stress events.
10
# Make this bigger for busy systems
11
-b 8192
12
13
# DO NOT BLOCK THE FOLLOWING EVENTS
14
# USER_AUTH
15
# USER_START
16
# USER_END
17
# USER_LOGIN
18
# USER_LOGOUT
19
# ADD_USER
20
# DEL_USER
21
# ADD_GROUP
22
# DEL_GROUP
23
# SERVICE_START
24
# SERVICE_STOP
25
# SYSCALL
26
# EXECVE
27
28
29
30
# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
31
-a always,exit -F arch=b64 -S execve -F key=execve
32
33
# Feel free to add additional rules below this line. See auditctl man page
34

NOTE

The -a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed.

/etc/audisp/audispd.conf

text
1
#
2
# This file controls the configuration of the audit event
3
# dispatcher daemon, audispd.
4
#
5
6
q_depth = 8192
7
overflow_action = SYSLOG
8
priority_boost = 4
9
max_restarts = 10
10
name_format = HOSTNAME

/etc/audisp/plugins.d/af_unix.conf

text
1
# This file controls the configuration of the
2
# af_unix socket plugin. It simply takes events
3
# and writes them to a unix domain socket. This
4
# plugin can take 2 arguments, the path for the
5
# socket and the socket permissions in octal.
6
7
active = yes
8
direction = out
9
path = builtin_af_unix
10
type = builtin
11
args = 0600 /var/run/audispd_events
12
format = binary

After completing these modifications, start the auditd service with the following command:

1
service auditd start

Next, verify that you have configured the rules correctly with the following command:

1
auditctl -l

Although different kernel versions may have minor differences in output, your command results should appear similar to the following:

1
root@ubuntu:~# auditctl -l
2
-a always,exit -F arch=b64 -S execve -F key=execve

Agent Modifications

Finally, modify the agent on your Linux asset to complete the procedure:

  1. Navigate to your /opt/rapid7/ir_agent/components/insight_agent/common/ directory.
  2. Create a new file and name it audit.conf.
  3. Open the file with the editing tool of your choice and add the following line:
1
{"auditd-compatibility-mode":true}
  1. Save and close the file.
  2. Restart the agent service so that the compatibility mode can take effect.