Setting Up Audit Rules - Novell SUSE LINUX ENTERPRISE 11 SP1 LINUX AUDIT Quick Start Manual

flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /usr/sbin/audispd
name_format = NONE
#name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
#tcp_listen_port =
tcp_listen_queue = 5
#tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
Most of the settings in this file concern the audit log files
and how the logging is done. The most important settings
all concern the actions the daemon should take when en-
countering certain critical conditions or errors (system low
on disk space, system out of disk space, or disk error) and
when to warn the administrator about these conditions.
These actions are customizable and range from a mere
warning in syslog to a complete halt of the system. For more
information about /etc/audit/auditd.conf, refer to
The Linux Audit Framework manual and the manual page
of auditd.conf (auditd.conf(8)).

Setting Up Audit Rules

Audit rules are used to specify which components of your
system are audited. There are three basic types of audit
rules:
• Basic audit system parameters
• File and directory watches
• System call audits
Before creating an audit rule set and before rolling it out
to your system, carefully determine which components to
audit. Extensive auditing causes a substantial logging load.
Make sure that your system provides enough disk space to
store large audit logs and test your audit rule set extensively
before rolling it out to a production system.
Audit rules can either be passed to the audit system by the
command line using auditctl or bundled into a rules file
located under /etc/audit/audit.rules that is read
during the start of the audit daemon:
# basic audit system parameters
-D
-b 8192
-f 1
-e 1
# some file and directory watches
-w /var/log/audit/
-w /etc/audit/auditd.conf -p rxwa
-w /etc/audit/audit.rules -p rxwa
-w /etc/passwd -p rwxa
-w /etc/sysconfig/
# an example system call rule
-a entry,always -S umask
The basic audit system parameters include a rule to delete
any preexisting rules (-D) to avoid clashes with the new
rules, a rule that sets the number of outstanding audit
buffers (-b), the failure flag (-f), and the enable flag (-e):
-b
Depending on the audit load of your system, increase
or decrease the number of outstanding audit buffers. If
there are no more buffers left, the kernel checks the
failure flag for action.
-f
The failure flag controls the kernel's reaction to critical
errors. Possible values are 0 (silent), 1 (printk, print a
failure message), and 2 (panic, bring the system
down—no clean shutdown and risk of data loss or cor-
ruption).
-e
If set to 1, this enables audit and audit contexts for sys-
tem calls. Setting it to 2 does the same, but also locks
down the configuration. Set to 0, audit is disabled. This
flag is used to enable or disable audit temporarily.
File system watches can be added whenever you want to
track files or directories for unauthorized access. Typical
examples would include watching the audit configuration
and logs and user and security databases. Use permission
filtering to focus on those system calls requesting the per-
missions in which you are interested:
-w /etc/audit/audit.rules -p rxwa
The -p flag enables permission filtering. This example has
permission filtering turned on for read, write, execute, and
attribute change permissions.
Note the following limitations to file system watches:
• Directory watches produce less verbose logs than exact
file watches. When in need of detailed file-related
records, enable separate file watches for all files of inter-
est.
2