I am trying to learn about securing a Linux box (I am using Ubuntu). Auditd is recommended for monitoring activities on the node. I have managed to install it, but I can't find much information about proper set-up to secure my node.
How should I set-up auditd to make my node more secure? What should I monitor? Why? I am looking for set-up examples and recommendation from experienced administrators.
Thanks!
Just to be clear, auditd is an invaluable tool, but it will not make your system more secure. What it will do, is provide you with much more detailed logging on certain activities. Someone will still need to review the generated logs. Much like the tree, if an activity is monitored, but no one is watching, do the logs matter?
At the simplest, I have used the following for /etc/audit/audit.rules. It will throw a log whenever the setrlimit or stime system calls exit, as well as whenever a directory is deleted.
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
-e 1
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
# Feel free to add below this line. See auditctl man page
-a exit,always -S unlink -S rmdir
-a exit,always -S stime.*
-a exit,always -S setrlimit.*
For some more in-depth examples check out the CIS Benchmark for RHEL 5.1-5.2. Unfortunately, there isn't one for Ubuntu, and the one for Debian is several years old. However, there shouldn't be anything in that section that is distribution specific.