Configuring Audit Settings on Red Hat

In this lab, we will take a look at setting up auditing services on a Red Hat host. We will configure low space email alerting, limit logging space used, and limit the number of audit buffers. The overall goal of this lab is to control the amount of space our audit logs are using and to use email alerting in order to prevent a partition from filling up.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Configure the auditd service to start automatically at boot

Run the following command to ensure auditd starts automatically at boot:
```
systemctl enable auditd
```

Setup low disk space email alerts

Edit the /etc/audit/auditd.conf file and set:
- space_left = 100
- space_left_action = email

Restrict the disk space used by the audit logs

Edit the /etc/audit/auditd.conf file and set the max_log_file and the num_logs values so their multiplied value is equal to 300 MB.
- Example:
  - max_log_file could be set to "30" and num_logs could be set to "10".
Save and exit the file.

Limit the number of audit buffers used by the system

Edit the file /etc/audit/rules.d/audit.rules and change the line showing -b 8192 to -b 5120.
Lastly, restart the auditd service
```
service auditd restart
```

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Configuring Audit Settings on Red Hat

About this Hands-on Lab

Learning Objectives

Additional Resources

What are Hands-on Labs

Newsletter