Controlling The Audit System Using Auditctl - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
tcp_listen_port, tcp_listen_queue, tcp_client_ports and
tcp_client_max_idle
The audit daemon can receive audit events from other audit daemons. The tcp pa-
rameters let you control incoming connections. Specify a port between 1 and 65535
with tcp_listen_port on which the auditd will listen. tcp_listen_queue
lets you configure a maximum value for pending connections. Make sure not to
set a value too small, since the number of pending connections may be high under
certain circumstances such as after a power outage. tcp_client_ports defines
which client ports are allowed. Either specify a single port or a port range with
numbers separated by a dash (e.g. 1-1023 for all privileged ports). Specifying a
single allowed client port may make it difficult for the client to restart their audit
subsystem, as it will be unable to recreate a connection with the same host addresses
and ports until the connection closure TIME_WAIT state times out. If a client does
not respond anymore, auditd complains. Specify the number of seconds after which
this will happen with tcp_client_max_idle. Keep in mind that this setting
is valid for all clients and therefore should be higher than any individual client
heartbeat setting, preferably by a factor of two.
Once the daemon configuration in /etc/sysconfig/auditd and /etc/audit/
auditd.conf is complete, the next step is to focus on controlling the amount of au-
diting the daemon does and to assign sufficient resources and limits to the daemon so
it can operate smoothly.
30.3 Controlling the Audit System
Using auditctl
auditctl is responsible for controlling the status and some basic system parameters of
the audit daemon. It controls the amount of auditing performed on the system. Using
audit rules, auditctl controls which components of your system are subjected to the
audit and to what extent they are audited. Audit rules can be passed to the audit daemon
on the auditctl command line as well as by composing a rule set and instructing
the audit daemon to process this file. By default, the rcaudit script is configured to
check for audit rules under /etc/audit/audit.rules. For more details on audit
rules, refer to
Section 30.4, "Passing Parameters to the Audit System"
(page 347).
Understanding Linux Audit
345
Advertisement
Table of Contents
