PowerProtect Data Manager 19.9 Security Configuration Guide

Configuring the audit service

The Linux auditd daemon captures events from the Linux kernel and records the entries in a log file for inspection. The auditd log entries are based on a set of rules that specify which events are defined in the log files. Auditing is disabled by default. To modify the default audit rules, edit the /etc/audit/audit.rules file.

1. Connect to the PowerProtect Data Manager console and change to the root user.
2. To start auditd, type one of the following commands:
   • Continuous logging—systemctl enable auditd
   • Log until system restart— service auditd start
   NOTE To disable continuous auditd logging, type systemctl disable auditd. To stop auditd, type service auditd stop
3. To review auditd log entries, review the files in the /var/log/audit/audit.log directory.
   NOTE The /var/log/audit/audit.log directory is limited to five files, and log rotation occurs when the file size reaches 6 MB. To modify the default configuration, edit the /etc/audit/auditd.conf file, where:

   • num_logs—Specifies how many log files to concurrently retain in the directory.
   • max_log_file—Specifies the maximum log file size in MB.
   • max_log_file_action— Instructs the auditd daemon to rotate the log files when the log files reach the maximum size.

   Do not modify other parameters unless specifically instructed to do so by Support.
4. To produce a summary report from the audit logs, type aureport --summary