Monitoring File System Objects - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

Set a watch on the directory where the audit log is located. Trigger an event for
any type of access attempt to this directory. If you are using log rotation, add
watches for the rotated logs as well.
Set a watch on an audit configuration file. Log all write and attribute change at-
tempts to this file.

32.3 Monitoring File System Objects

Auditing system calls helps track your system's activity well beyond the application
level. By tracking file system–related system calls, get an idea of how your applications
are using these system calls and determine whether that use is appropriate. By tracking
mount and umount operations, track the use of external resources (removable media,
remote file systems, etc.).
IMPORTANT: Auditing System Calls
Auditing system calls results in a high logging activity. This activity, in turn, puts
a heavy load on the kernel. With a kernel less responsive than usual, the system's
backlog and rate limits might be exceeded. Carefully evaluate which system
calls to include in your audit rule set and adjust the log settings accordingly.
See Section 30.2, "Configuring the Audit Daemon"
how to tweak the relevant settings.
-a entry,always -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32
-S lchown -S lchown32
-a entry,always -S creat -S open -S truncate -S truncate64 -S ftruncate -S
ftruncate64
-a entry,always -S mkdir -S rmdir
-a entry,always -S unlink -S rename -S link -S symlink
-a entry,always -S setxattr
-a entry,always -S lsetxattr
-a entry,always -S fsetxattr
-a entry,always -S removexattr
-a entry,always -S lremovexattr
-a entry,always -S fremovexattr
-a entry,always -S mknod
-a entry,always -S mount -S umount -S umount2
426 Security Guide
(page 379) for details on