Configuring Audit Reports - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

For more information about creating custom rules, refer to
rameters to the Audit System"
IMPORTANT: Changing Audit Rules
Never change audit rules in a running audit system. Always stop the audit
daemon with rcauditd stop before touching the audit configuration and
reread the audit configuration by restarting the daemon with rcauditd
start.

31.5 Configuring Audit Reports

To avoid having to dig through the raw audit logs to get an impression of what your
system is currently doing, run custom audit reports at certain intervals. Custom audit
reports enable you to focus on areas of interest and get meaningful statistics on the nature
and frequency of the events you are monitoring. To analyze individual events in detail,
use the ausearch tool.
Before setting up audit reporting, consider the following:
• What types of events do you want to monitor by generating regular reports? Select
the appropriate aureport command lines as described in
Custom Audit Reports"
• What do you want to do with the audit reports? Decide whether to create graphical
charts from the data accumulated or whether it should be transferred into any sort
of spreadsheet or database. Set up the aureport command line and further processing
similar to the examples shown in
(page 380) if you want to visualize your reports.
• When and at which intervals should the reports run? Set up appropriate automated
reporting using cron.
For this example, assume that you are interested in finding out about any attempts to
access your audit, PAM, and system configuration. Proceed as follows to find out about
file events on your system:
1 Generate a full summary report of all events and check for any anomalies in the
summary report, for example, have a look at the "failed syscalls" record, because
(page 347).
(page 357).
Section 31.6, "Configuring Log Visualization"
Section 30.4, "Passing Pa-
Section 30.5.2, "Generating
Setting Up the Linux Audit Framework 377