How to enable Linux Audit Daemon in hosts where WSO2 Carbon runtimes are deployed

What is Audit Daemon ?

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Auditing will help to understand root causes for kernel level issues.

Why WSO2 use Audit Daemon ?

Linux Audit Daemon is a tool that keeps track of every activity in the Operating Systems and logs all events based on a provided rule set. Within WSO2 development, use Audit Daemon to audit activities according to given set of rules. Through that, track performance of carbon products while identifying relevant issues.

How to enable Audit Daemon ?

You can install Audit Daemon as follows;

apt-get install auditd audispd-plugins

Then you have to define rule set as you require to configure auditing for services. Those rules will be define in audit.rules file. You can define rules one by one as follows;

General Form:

-a action,list -S syscall -F field=value -k keyname

Example:

auditctl -a exit,always -F path=/etc/passwd -F perm=wa

Above command will add “watch” rule in to /etc/passwd file. For more details regarding adding rules and rule types, you can refer man page of auditd [1].

Example:

# Watch system log files
-w /var/log/messages
#-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log
# Watch audit configuration files
-w /etc/audit/auditd.conf -p wa
-w /etc/audit/audit.rules -p wa
# Watch login configuration
-w /etc/login.defs
-w /etc/securetty
-w /etc/resolv.conf

With the performance, you have to tune auditing with given parameters. According to the research done by myself, it was identified following tuning parameters with safety values.


Note: According to the environment, exact value can be change.

“auditd.rules” (/etc/audit/audit.rules)

# basic audit system parameters

-D
Remove all existing rules 
 
-b 8192
This will confiure buffer size 
Safe value is 8192

-f 1
The failure flag controls the kernel’s reaction to critical errors.
Possible Values: 0 (silent) 
 1 (printk, print a failure message)
 2 (panic, bring the system down — no clean shutdown and risk of data loss or corruption) 
Safe value is 1

-e 1
Enable/disable auditing
Possible values: 0 Audit is disabled
 1 This enables audit and audit contexts for system calls
 2 does the same, but also locks down the configuration.
Safe value is 1

“auditd.conf” (/etc/auditd.conf)

priority_boost
Possible values: Non negative value
Safe value is 4

space_left
Numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space. 
Safe value is 75

space_left_action
Tells the system what action to take when the system has detected that it is starting to get low on disk space
Possible values: ignore, syslog, email, exec, suspend, single, and halt
Safe value is exec with proper script

admin_space_left
Identify value as the last chance when system run out with low space
Safe value is 74

admin_space_left_action 
Define th action When achieve “admin_space_left”
Possible values: ignore, syslog, email, exec, suspend, single, and halt
Safe value is SUSPEND

References:

[1] http://man7.org/linux/man-pages/man7/audit.rules.7.html