Adding Watches On Audit Log Files And Configuration Files - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
system on a critical error, audit makes sure that no process escapes from its control as
it otherwise might if level 1 (printk) were chosen.
IMPORTANT: Choosing the Failure Flag
Before using your audit rule set on a live system, make sure that the setup has
been thoroughly evaluated on test systems using the worst case production
workload. It is even more critical that you do this when specifying the -f 2
flag, because this instructs the kernel to panic (perform an immediate halt
without flushing pending data to disk) if any thresholds are exceeded. Consider
the use of the -f 2 flag for only the most security-conscious environments.
32.2 Adding Watches on Audit Log
Files and Configuration Files
Adding watches on your audit configuration files and the log files themselves ensures
that you can track any attempt to tamper with the configuration files or detect any at-
tempted accesses to the log files.
NOTE: Creating Directory and File Watches
Creating watches on a directory is not necessarily sufficient if you need events
for file access. Events on directory access are only triggered when the directory's
inode is updated with metadata changes. To trigger events on file access, add
watches for each individual file to monitor.
-w /var/log/audit/
-w /var/log/audit/audit.log
#-w /var/log/audit/audit_log.1
#-w /var/log/audit/audit_log.2
#-w /var/log/audit/audit_log.3
#-w /var/log/audit/audit_log.4
-w /etc/audit/auditd.conf -p wa
-w /etc/audit/audit.rules -p wa
-w /etc/libaudit.conf -p wa
-w /etc/sysconfig/auditd -p wa
Introducing an Audit Rule Set
385
Advertisement
Table of Contents
