Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 348

Linux audit helps make your system more secure by providing you with a means to
analyze what is going on on your system in great detail. It does not, however, provide
additional security itself—it does not protect your system from code malfunctions or
any kind of exploits. Instead, Audit is useful for tracking these issues and helps you
take additional security measures, like Novell AppArmor, to prevent them.
Audit consists of several components, each contributing crucial functionality to the
overall framework. The audit kernel module intercepts the system calls and records the
relevant events. The auditd daemon writes the audit reports to disk. Various command
line utilities take care of displaying, querying, and archiving the audit trail.
Audit enables you to do the following:
Associate Users with Processes
Audit maps processes to the user ID that started them. This makes it possible for
the administrator or security officer to exactly trace which user owns which process
and is potentially doing malicious operations on the system.
IMPORTANT: Renaming User IDs
Audit does not handle the renaming of UIDs. Therefore avoid renaming
UIDs (for example, changing tux from uid=1001 to uid=2000) and
obsolete UIDs rather than renaming them. Otherwise you would need to
change auditctl data (audit rules) and would have problems retrieving old
data correctly.
Review the Audit Trail
Linux audit provides tools that write the audit reports to disk and translate them
into human readable format.
Review Particular Audit Events
Audit provides a utility that allows you to filter the audit reports for certain events
of interest. You can filter for:
• User
• Group
• Audit ID
• Remote Hostname
336 Security Guide