Configuring The Audit Daemon - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

auditctl
The auditctl utility controls the audit system. It controls the log generation param-
eters and kernel settings of the audit interface as well as the rule sets that determine
which events are tracked. For more information about auditctl, refer to
"Controlling the Audit System Using auditctl"
audit rules
The file /etc/audit/audit.rules contains a sequence of auditctl commands
that are loaded at system boot time immediately after the audit daemon is started.
For more information about audit rules, refer to
to the Audit System"
aureport
The aureport utility allows you to create custom reports from the audit event log.
This report generation can easily be scripted and the output can be used by various
other applications, for example, to plot these results. For more information about
aureport, refer to
Reports" (page 351).
ausearch
The ausearch utility can search the audit log file for certain events using various
keys or other characteristics of the logged format. For more information about
ausearch, refer to
(page 363).
audispd
The audit dispatcher daemon (audispd) can be used to relay event notifications to
other applications instead of or in addition to writing them to disk in the audit log.
autrace
The autrace utility traces individual processes in a fashion similar to strace. The
output of autrace is logged to the audit log. For more information about autrace,
refer to Section 30.7, "Analyzing Processes with autrace"

30.2 Configuring the Audit Daemon

Before you can actually start generating audit logs and process them, configure the
audit daemon itself. Configure how it is started in the /etc/sysconfig/auditd
(page 347).
Section 30.5, "Understanding the Audit Logs and Generating
Section 30.6, "Querying the Audit Daemon Logs with ausearch"
(page 345).
Section 30.4, "Passing Parameters
(page 367).
Understanding Linux Audit
Section 30.3,
339