Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Linux Manuals
  4. Software
  5. LINUX ENTERPRISE DESKTOP 10 SP1 -
  6. Quick manual

Linux ENTERPRISE 10 SP1 - AUDIT Quick Manual

On suse linux enterprise 10 sp1 for novell
Hide thumbs Also See for LINUX ENTERPRISE 10 SP1 - LINUX AUDIT:
1
2
3
4
5
6

Advertisement

Quick Links

Download this manual See also: Manual
Linux Audit Quick Start
SUSE Linux Enterprise 10 SP1
Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your
system and trace system calls. It enables you to monitor your system for application misbehavior or code mal-
functions. By creating a sophisticated set of rules including file watches and system call auditing, you can make
sure that any violation of your security policies is noticed and properly addressed.
To set up Linux audit on your system, proceed as follows:
1. Stop the audit daemon that is running by default with
the rcauditd stop command.
2. Adjust the system configuration for audit and enable
audit.
3. Configure the audit daemon.
4. Determine which system components to audit and set
up audit rules.
5. Start the audit daemon after you have completed the
configuration of the audit system using the rcauditd
start command.
6. Determine which reports to run and configure these
reports.
7. Analyze the audit logs and reports.
8. (Optional) Analyze individual system calls with autrace.
IMPORTANT: Users Entitled to Work
with Audit
The audit tools, configuration files, and logs are
only available to root. This protects audit from
ordinary users of the system. To manipulate any
aspect of audit, you must be logged in as root.
Enabling Audit
Your first tasks enabling audit are:
• Adjust the PAM configuration to enable audit ID tracking.
• Enable system call auditing in /etc/sysconfig/
auditd.
Audit allows you to consistently track a user's actions from
login right through logout no matter which identities this
user might adopt by using audit IDs that are created upon
login and handed down to any child process of the original
login process. Modify the PAM configuration of several
components (login, sshd, gdm, crond, and atd). Open the
PAM configuration for each application (/etc/pam
.d/application) and add the following line before the
common-session line:
session required
session include
The changes in PAM configuration take effect as soon as
the application is called again, for example, login, sshd, and
the display managers log with an audit ID at the next login.
Because you need system call auditing capabilities even
when you are configuring plain file or directory watches,
enable audit contexts for system calls:
Enabling System Call Auditing for One Session Only
Enable with auditctl -e 1 and disable with au-
ditctl -e 0. These settings are not persistent and do
not survive a reboot.
1
NOVELL® QUICK START CARD
pam_loginuid.so
common-session

Advertisement

loading

Related Manuals for Linux LINUX ENTERPRISE 10 SP1 - LINUX AUDIT

Summary of Contents for Linux LINUX ENTERPRISE 10 SP1 - LINUX AUDIT

  • Page 1 Linux Audit Quick Start SUSE Linux Enterprise 10 SP1 NOVELL® QUICK START CARD Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your system and trace system calls. It enables you to monitor your system for application misbehavior or code mal- functions.

  • Page 2: Setting Up Audit Rules

    Enabling System Call Auditing Permanently Make sure that your system provides enough disk space to Permanently enable audit contexts for system calls by store large audit logs and test your audit rule set extensively changing AUDITD_DISABLE_CONTEXTS in /etc/ before rolling it out to a production system. sysconfig/auditd from yes to no.

  • Page 3: Generating Reports

    The -p flag enables permission filtering. This example has detailed information about any of the event categories listed, run individual reports for the event type. permission filtering turned on for read, write, execute, and attribute change permissions. aureport --success Run this report to get statistics of successful events on Note the following limitations to file system watches: your system.
  • Page 4 Analyzing Audit Log Files and Reports Analyzing Individual System Calls While aureport helps you generate custom reports focusing Perform dedicated audits of individual processes using the on a certain area, ausearch helps you to find the detailed autrace command. autrace works similarly to the strace log entry of individual events: command, but gathers slightly different information.
  • Page 5 Controls the rules auditd processes to track system calls For a more detailed introduction to the Linux audit frame- and file and directory access. work, refer to the The Linux Audit Framework manual that /var/log/audit/audit.log is available at http://www.novell.com/ The audit log file. documentation/sles10/.
  • Page 6 Created by SUSE® with XSL-FO...

This manual is also suitable for:

Audit