InsightIDR - auditd Compatibility Mode for Linux Assets
InsightIDR requires you to configure
auditd Compatibility Mode for Linux Assets for the normal deployment of the Insight Agent.
In order for InsightIDR to monitor specific file paths from your Linux machine, you must configure auditd Compatibility Mode with slight modifications. This Compatibility Mode is necessary to configure File Integrity Monitoring (FIM) for Linux, or if you have other FIM agents that need to read from the
audit.log to generate FIM events, besides Insight products.
This implementation can increase log size
auditd Compatibility Mode results in larger
audit.log files. As a consequence, the performance and bandwidth usage of your asset could increase, depending on the audit events captured.
To configure auditd Compatibility Mode, your Linux host must meet the following requirements:
- Your installed Insight Agent must be on version 126.96.36.199 or later.
audispdbuilt-in plugin must be available and not used by other clients.
af_unixcan only take a single client, so the plugin must be available for the sole use of the Compatibility Mode.
auditdmust be restarted and running after implementing auditd Compatibility Mode.
Configuration File Modifications
This procedure involves editing and saving the following
audit service and configuration files:
There are two ways to configure the
audit.rules file, based on the status of the
augenrulesscript is active:
audit.rules file inside the
/etc/audit/rules.d directory. To do so, apply the guidance from this Linux manual page: https://man7.org/linux/man-pages/man8/augenrules.8.html.
This action prevents merging issues, since the contents of
/etc/audit/rules.d merge with the contents of
/etc/audit/audit.rules when the
augenrules script is active.
augenrulesscript is not active:
1# This file contains the auditctl rules that are loaded2# whenever the audit daemon is started via the initscripts.3# The rules are simply the parameters that would be passed4# to auditctl.56# First rule - delete all7-D89# Increase the buffers to survive stress events.10# Make this bigger for busy systems11-b 81921213# DO NOT BLOCK THE FOLLOWING EVENTS14# USER_AUTH15# USER_START16# USER_END17# USER_LOGIN18# USER_LOGOUT19# ADD_USER20# DEL_USER21# ADD_GROUP22# DEL_GROUP23# SERVICE_START24# SERVICE_STOP25# SYSCALL26# EXECVE27282930# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems31-a always,exit -F arch=b64 -S execve -F key=execve3233# Feel free to add additional rules below this line. See auditctl man page34
-a always,exit -F arch=b64 -S execve -F key=execve audit rule shown here is the minimum rule required by the Insight Agent. You may have additional audit rule lines here as needed. For example, if you want to configure File Integrity Monitoring (FIM), or if you have auditing requirements to track activity.
Skip this step on RHEL 8.0+ and CentOS 8.0+
audispd is part of
auditd starting RHEL 8 and CentOS 8. This step is only necessary on lower versions of RHEL and CentOS.
audispd.conf file in this directory:
1#2# This file controls the configuration of the audit event3# dispatcher daemon, audispd.4#56q_depth = 81927overflow_action = SYSLOG8priority_boost = 49max_restarts = 1010name_format = HOSTNAME
- Edit the
af_unix.conffile in this directory:
/etc/audisp/plugins.d/af_unix.conf. On RHEL 8+ and CentOS 8+ navigate to
1# This file controls the configuration of the2# af_unix socket plugin. It simply takes events3# and writes them to a unix domain socket. This4# plugin can take 2 arguments, the path for the5# socket and the socket permissions in octal.67active = yes8direction = out9path = builtin_af_unix10type = builtin11args = 0600 /var/run/audispd_events12format = binary
- After completing these modifications, start the
auditdservice with the following command:
1service auditd start
- Next, verify that you have configured the rules correctly with the following command:
- Different kernel versions may have minor differences in output. This is an example of how command results should look like:
1root@ubuntu:~# auditctl -l2-a always,exit -F arch=b64 -S execve -F key=execve
Finally, you must create a file in the agent installation directory to manually activate the
auditd Compatibility Mode:
- Navigate to your
- Create a new file and name it
- Open the file with the editing tool of your choice and add the following line:
- Save and close the file.
- Restart the agent service so that the Compatibility Mode can take effect.
- Verify the configuration by modifying a file in the directory you set to monitor. Within 5-7 minutes you should see an event in the File Modification Activity->Endpoint Agents log.