Advertisement
Quick Links
Linux Audit Quick Start
SUSE Linux Enterprise 11 SP1
Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your
system and trace system calls. It enables you to monitor your system for application misbehavior or code mal-
functions. By creating a sophisticated set of rules including file watches and system call auditing, you can make
sure that any violation of your security policies is noticed and properly addressed.
To set up Linux audit on your system, proceed as follows:
1. Stop the audit daemon that is running by default with
the rcauditd stop command.
2. Adjust the system configuration for audit and enable
audit.
3. Configure the audit daemon.
4. Determine which system components to audit and set
up audit rules.
5. Start the audit daemon after you have completed the
configuration of the audit system using the rcauditd
start command.
6. Determine which reports to run and configure these
reports.
7. Analyze the audit logs and reports.
8. (Optional) Analyze individual system calls with autrace.
IMPORTANT: Users Entitled to Work
with Audit
The audit tools, configuration files, and logs are
only available to root. This protects audit from
ordinary users of the system. To manipulate any
aspect of audit, you must be logged in as root.
Enabling Audit
Your first task enabling audit is to activate system call audit-
ing, since system call auditing capabilities are needed even
when you are only configuring plain file or directory
watches:
Enabling System Call Auditing for One Session Only
Enable with auditctl -e 1 and disable with au-
ditctl -e 0. These settings are not persistent and do
not survive a reboot.
Enabling System Call Auditing Permanently
Permanently enable audit contexts for system calls by
changing AUDITD_DISABLE_CONTEXTS in /etc/
sysconfig/auditd from yes to no. To permanently
disable audit contexts for system calls, revert this setting
to yes. THis configuration will be applied with the next
start of the audit daemon.
Configuring Audit
The configuration of the audit daemon is contained in the
/etc/audit/auditd.conf configuration file. The default
settings as shipped with SUSE Linux Enterprise should be
sufficient for most setups.
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
1
NOVELL® QUICK START CARD
Advertisement
Related Manuals for Novell SUSE LINUX ENTERPRISE 11 SP1 LINUX AUDIT
Summary of Contents for Novell SUSE LINUX ENTERPRISE 11 SP1 LINUX AUDIT
- Page 1 Linux Audit Quick Start SUSE Linux Enterprise 11 SP1 NOVELL® QUICK START CARD Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your system and trace system calls. It enables you to monitor your system for application misbehavior or code mal- functions.
-
Page 2: Setting Up Audit Rules
flush = INCREMENTAL -b 8192 freq = 20 -f 1 num_logs = 4 -e 1 disp_qos = lossy dispatcher = /usr/sbin/audispd # some file and directory watches name_format = NONE -w /var/log/audit/ #name = mydomain -w /etc/audit/auditd.conf -p rxwa max_log_file = 5 -w /etc/audit/audit.rules -p rxwa max_log_file_action = ROTATE space_left = 75... -
Page 3: Generating Reports
• Pathname globbing of any kind is not supported by audit. aureport --failed Always use the exact pathnames. Run this report to get statistics of failed events on your system. This report includes the same event categories • Auditing can only be performed on existing files. Any files as the summary report. - Page 4 When performing an autrace on a process, make sure that work, refer to the The Linux Audit Framework manual that any audit rules are purged from the queue to avoid having is available at http://www.novell.com/ these rules clash with the ones autrace adds itself. Delete documentation/sles11/http://www.novell.com/ the audit rules with the auditctl -D command.
-
Page 5: Legal Notice
The express autho- Legal Notice rization of Novell, Inc must be obtained prior to any other All content is copyright © 2006- 2009 Novell, Inc. use of any manual or part thereof. This manual is protected under Novell intellectual property For Novell trademarks, see the Novell Trademark and Ser- rights. - Page 6 Created by SUSE® with XSL-FO...