Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 388
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
-w /etc/passwd -k CFG_passwd -p rwxa
-w /etc/sysconfig/ -k CFG_sysconfig
# an example system call rule
-a entry,always -S umask
### add your own rules
When configuring the basic audit system parameters, such as the backlog parameter
-b, test these settings with your intended audit rule set to determine whether the backlog
size is appropriate for the level of logging activity caused by your audit rule set. If your
chosen backlog size is too small, your system might not be able to handle the audit load
and consult the failure flag (-f) when the backlog limit is exceeded.
IMPORTANT: Choosing the Failure Flag
When choosing the failure flag, note that -f 2 tells your system to perform
an immediate shutdown without flushing any pending data to disk when the
limits of your audit system are exceeded. Because this shutdown is not a clean
shutdown, restrict the use of -f 2 to only the most security conscious environ-
ments and use -f 1 (system continues to run, issues a warning and audit stops)
for any other setup to avoid loss of data or data corruption.
Directory watches produce less verbose output than separate file watches for the files
under these directories. To get detailed logging for your system configuration in /etc/
sysconfig, for example, add watches for each individual file. Audit does not support
globbing, which means you cannot just create a rule that says -w /etc/* and
watches anything below /etc.
For better identification in the log file, a key has been added to each of the file and di-
rectory watches. Using the key, it is easier to comb the logs for events related to a certain
rule. When creating keys, distinguish between mere log file watches and configuration
file watches by using an appropriate prefix with the key, in this case LOG for a log file
watch and CFG for a configuration file watch. Using the filename as part of the key also
makes it easier for you to identify events of this type in the log file.
Another thing to bear in mind when creating file and directory watches is that audit
cannot deal with files that do not exist when the rules are created. Any file that is added
to your system while audit is already running is not watched unless you extend the rule
set to watch this new file.
376
Security Guide
Advertisement
Table of Contents
Related Manuals for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
Related Products for Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009
- NOVELL EDIRECTORY 8.8 SP2 - GUIDE 10-2007
- NOVELL EDIRECTORY 8.8 SP5 - GUIDE 12-2009
- NOVELL IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
- NOVELL LINUX ENTERPRISE 11 - SUBSCRIPTION MANAGEMENT TOOL GUIDE 10-02-2009
- NOVELL OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010
- NOVELL OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - UPGARDE GUIDE 10-09-2009
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - VIRTUAL MACHINE MANAGEMENT GUIDE 10-17-2009
- NOVELL PRODUCT NAME 10.3 - DEPLOYING ZENWORKS ON CITRIX SERVER BEST PRACTICES GUIDE 12-13-2010
- NOVELL SERVER CONSOLIDATION MIGRATION TOOLKIT 1.1 - ADMINISTRATION GUIDE 12-23-2005
- NOVELL ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE 11-2010
- NOVELL ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010
- NOVELL CUSTOMER CENTER 2.3 - GUIDE 4-8-2009
- NOVELL IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006
- NOVELL LINUX ENTERPRISE SERVER 10 - START-UP GUIDE 06-12-2006
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE 05-15-2009