Linux Audit Quick Start
SUSE Linux Enterprise 10 SP1
Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your
system and trace system calls. It enables you to monitor your system for application misbehavior or code mal-
functions. By creating a sophisticated set of rules including file watches and system call auditing, you can make
sure that any violation of your security policies is noticed and properly addressed.
To set up Linux audit on your system, proceed as follows:
1. Stop the audit daemon that is running by default with
the rcauditd stop command.
2. Adjust the system configuration for audit and enable
audit.
3. Configure the audit daemon.
4. Determine which system components to audit and set
up audit rules.
5. Start the audit daemon after you have completed the
configuration of the audit system using the rcauditd
start command.
6. Determine which reports to run and configure these
reports.
7. Analyze the audit logs and reports.
8. (Optional) Analyze individual system calls with autrace.
IMPORTANT: Users Entitled to Work
with Audit
The audit tools, configuration files, and logs are
only available to root. This protects audit from
ordinary users of the system. To manipulate any
aspect of audit, you must be logged in as root.
Enabling Audit
Your first tasks enabling audit are:
• Adjust the PAM configuration to enable audit ID tracking.
• Enable system call auditing in /etc/sysconfig/
auditd.
Audit allows you to consistently track a user's actions from
login right through logout no matter which identities this
user might adopt by using audit IDs that are created upon
login and handed down to any child process of the original
login process. Modify the PAM configuration of several
components (login, sshd, gdm, crond, and atd). Open the
PAM configuration for each application (/etc/pam
.d/application) and add the following line before the
common-session line:
session required
session include
The changes in PAM configuration take effect as soon as
the application is called again, for example, login, sshd, and
the display managers log with an audit ID at the next login.
Because you need system call auditing capabilities even
when you are configuring plain file or directory watches,
enable audit contexts for system calls:
Enabling System Call Auditing for One Session Only
Enable with auditctl -e 1 and disable with au-
ditctl -e 0. These settings are not persistent and do
not survive a reboot.
1
NOVELL® QUICK START CARD
pam_loginuid.so
common-session