The Linux Audit system enables the system administrator to track security-relevant events by creating an audit trail, which is a log for every action on the server. More specifically, based on the pre-configured rules, the audit system creates log entries that record system calls. By monitoring the events happening on your system, you can reveal violations of system security policies and adjust the set of audit rules to prevent further misuse or unauthorized activities within the system.
This section describes how to enable the audit system in your MCP deployment in compliance with CIS audit benchmarks and applies to both existing and new MCP deployments. Once you enable the audit system, the Fluentd service of StackLight LMA collects the audit logs and sends them to Elasticsearch for storage.
To enable the Linux Audit system:
Log in to the Salt Master node.
In the classes/cluster/<cluster_name>/infra/init.yml
file
of your Reclass model, include the following class:
classes:
...
- system.auditd.server.ciscat
If required, configure the CIS-CAT rules depending on the needs of your deployment.
Select from the following options:
If you are performing the initial deployment of your environment, the
auditd
service will be installed during the MCP cluster deployment.
If you are enabling the auditd
service in an existing environment:
Refresh pillars and synchronize Salt modules:
salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_modules
Apply the salt state:
salt '*' state.sls salt
Apply the changes to the Reclass model by running the auditd state:
salt \* state.sls auditd
Verify that the auditd
service is enabled in your deployment:
salt \* service.status auditd
Verify that the rules are being applied as expected using the auditctl tool:
salt \* cmd.run "auditctl -l"