Enable the Linux Audit system

Enable the Linux Audit system

The Linux Audit system enables the system administrator to track security-relevant events by creating an audit trail, which is a log for every action on the server. More specifically, based on the pre-configured rules, the audit system creates log entries that record system calls. By monitoring the events happening on your system, you can reveal violations of system security policies and adjust the set of audit rules to prevent further misuse or unauthorized activities within the system.

This section describes how to enable the audit system in your MCP deployment in compliance with CIS audit benchmarks and applies to both existing and new MCP deployments. Once you enable the audit system, the Fluentd service of StackLight LMA collects the audit logs and sends them to Elasticsearch for storage.

To enable the Linux Audit system:

  1. Log in to the Salt Master node.

  2. In the classes/cluster/<cluster_name>/infra/init.yml file of your Reclass model, include the following class:

    classes:
    ...
    - system.auditd.server.ciscat
    
  3. If required, configure the CIS-CAT rules depending on the needs of your deployment.

  4. Select from the following options:

    • If you are performing the initial deployment of your environment, the auditd service will be installed during the MCP cluster deployment.

    • If you are enabling the auditd service in an existing environment:

      1. Refresh pillars and synchronize Salt modules:

        salt '*' saltutil.refresh_pillar
        salt '*' saltutil.sync_modules
        
      2. Apply the salt state:

        salt '*' state.sls salt
        
      3. Apply the changes to the Reclass model by running the auditd state:

        salt \* state.sls auditd
        
  5. Verify that the auditd service is enabled in your deployment:

    salt \* service.status auditd
    
  6. Verify that the rules are being applied as expected using the auditctl tool:

    salt \* cmd.run "auditctl -l"