Advertisement
• Pathname globbing of any kind is not supported by audit.
Always use the exact pathnames.
• Auditing can only be performed on existing files. Any files
added while the audit daemon is already running are ig-
nored until the audit rule set is updated to watch the
new files.
Assigning keys to your audit rules helps you to identify any
records related to this rule in the logs. An example rule plus
key:
-w /etc/var/log/audit/ -k LOG_audit
The -k option attaches a text string to any event that is
recorded in the logs due to this rule. Using the ausearch
log analyzer, you can easily filter for any events related to
this particular rule.
A sample system call audit rule could look like the following:
-a entry,always -S umask
This adds the rule to the system call entry list (-a) and logs
an event whenever this system call is used (entry,al-
ways). The -S option precedes the actual system call,
umask in this example. Using -F, you could add optional
filtering to this rule. For more information about audit rules,
refer to The Linux Audit Framework and the manual page
of auditctl (auditctl(8)).
Generating Reports
Every audit event is recorded in the audit log, /var/log/
audit/audit.log. To avoid having to read the raw audit
log, configure custom audit reports with aureport and run
them regularly. Use the aureport tool to create various types
of reports filtering for different fields of the audit records
in the log. The output of any aureport command is
printed in column format and can easily be piped to other
commands for further processing. Because the aureport
commands are scriptable, you can easily create custom re-
port scripts to run at certain intervals to gather the audit
information for you.
aureport --summary
Run this report to get a rough overview of the current
audit statistics (events, logins, processes, etc.). To get
detailed information about any of the event categories
listed, run individual reports for the event type.
aureport --success
Run this report to get statistics of successful events on
your system. This report includes the same event cate-
gories as the summary report. To get detailed informa-
tion for a particular event type, run the individual report
adding the --success option to filter for successful
events of this type, for example, aureport -f --
success to display all successful file-related events.
aureport --failed
Run this report to get statistics of failed events on your
system. This report includes the same event categories
as the summary report. To get detailed information for
a particular event type, run the individual report adding
the --failed option to filter for failed events of this
type, such as aureport -f --failed to display all
failed file-related events.
aureport -l
Run this command to generate a numbered list of all
login-related events. The report includes date, time, audit
ID, host and terminal used, name of the executable,
success or failure of the attempt, and an event ID.
aureport -p
Run this report to generate a numbered list of all pro-
cess-related events. This command generates a numbered
list of all process events including date, time, process ID,
name of the executable, system call, audit ID, and event
number.
aureport -f
Run this report to generate a numbered list of all file-
related events. This command generates a numbered list
of all process events including date, time, process ID,
name of the executable, system call, audit ID and event
number.
aureport -u
Run this report to find out which users are running what
executables on your system. This command generates a
numbered list of all user-related events including date,
time, audit ID, terminal used, host, name of the exe-
cutable, and an event ID.
Use the -ts and -te (for start time and end time) options
with any of the above commands to limit your reports to
a certain time frame. Use the -i option with any of these
commands to transform numeric entities to human-readable
text. The following command creates a file report for the
time between 8 am and 5:30 pm on the current day and
converts numeric entries to text.
aureport -ts 8:00 -te 17:30 -f -i
Analyzing Audit Log Files and Reports
While aureport helps you generate custom reports focusing
on a certain area, ausearch helps you to find the detailed
log entry of individual events:
ausearch -a audit_event_id
Run this search to view all records carrying a particular
audit event ID. Each audit event message is logged along
with a message ID consisting of a UNIX epoch time stamp
plus a unique event ID separated by a colon. All events
that are logged from one application's system call have
the same event ID. For example, use ausearch -a
1234 to display all audit events carrying this audit event
ID. As one application's system call may trigger several
3
Advertisement
Need help?
Do you have a question about the SUSE LINUX ENTERPRISE 11 SP1 LINUX AUDIT and is the answer not in the manual?
Questions and answers