Novell SUSE LINUX ENTERPRISE 11 SP1 LINUX AUDIT Quick Start Manual page 4

events to be logged, you are likely to retrieve more than
one record from the log.
ausearch -ul login_id
Run this search to view records associated with a partic-
ular login user ID. It displays any records related to the
user login ID specified provided that user had been able
to log in successfully. For example, use ausearch -ul
root to list all processes owned by the given login user
ID.
ausearch -k key
Run this search to find records that contain a certain key
assigned in the audit rule set. For example, use ause-
arch -k CFG_etc to display any records containing
the CFG_etc key.
ausearch -m message_type
Run this search to find records related to a particular
message type. Examples of valid message types include
PATH, SYSCALL, USER_LOGIN. Invoking ausearch
-m without a message type displays a list of all message
types.
ausearch -f filename
Run this search to find records containing a certain file-
name. For example, run ausearch -f /foo/bar for
all records related to the /foo/bar file. Using the file-
name alone would work as well, but using relative paths
would not.
ausearch -p process_id
Run this to search for records related to a certain process
ID. For example, use ausearch -p 13368 to search
for all records related to this process ID.
Use the -ts and -te (for start time and end time) options
with any of these commands to limit your reports to a cer-
tain time frame. Use the -i option with any of these to
transform numeric entities to human readable text. The
following command searches for any file event related to
audit.log that took place any time between 8 am and
5:30 pm on the current day and converts numeric entries
to text.
ausearch -ts 8:00 -te 17:30 -f audit.log -i
Analyzing Individual System Calls
Perform dedicated audits of individual processes using the
autrace command. autrace works similarly to the strace
command, but gathers slightly different information. The
output of autrace is written to /var/log/audit/audit
.log and does not look any different from the standard
audit log entries.
When performing an autrace on a process, make sure that
any audit rules are purged from the queue to avoid having
these rules clash with the ones autrace adds itself. Delete
the audit rules with the auditctl -D command.
autrace /usr/bin/less /etc/sysconfig/auditd
Waiting to execute: /usr/bin/less
Cleaning up...
No rules
Trace complete. You can locate the records
with 'ausearch -i -p 7642'
Always use the full path to the executable to autrace. After
the trace is complete, autrace provides you with the event
ID of the trace, so you can analyze the entire data trail with
ausearch. To restore the audit system to use the audit rule
set again, just restart the audit daemon by calling rcauditd
restart.
Audit Tool Set
auditctl
Controls the audit system. Check the audit daemon's
status and rule set, delete rules, or create new ones.
aureport
Create various types of reports from the audit daemon
logs.
ausearch
Create custom queries to search the audit daemon logs.
autrace
Add audit rules to trace a process. Similar to strace.
rcauditd
Controls the audit init script.
Files
/etc/audit/auditd.conf
Contains configuration options specific to the audit
daemon, such as log file location, log rotation, maximum
size of the log file, and various actions to take when the
system starts to run low on disk space.
/etc/sysconfig/auditd
Controls configuration aspects of auditd that are not
covered in /etc/audit/auditd.conf, such as the
locale to use with audit, the use of audit contexts with
system calls, and whether rules and watches should be
deleted on shutdown of the system.
/etc/audit/audit.rules
Controls the rules auditd processes to track system calls
and file and directory access.
/var/log/audit/audit.log
The audit log file.
For More Information
For a more detailed introduction to the Linux audit frame-
work, refer to the The Linux Audit Framework manual that
is available at http://www.novell.com/
documentation/sles11/http://www.novell.com/
documentation/sled11/.
4