Monitoring Security Configuration Files And Databases - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

Enable an audit context for system calls related to changing file ownership and
permissions. Depending on the hardware architecture of your system, enable or
disable the *32 rules. 64-bit systems, like x86_64 and ia64, require the *32 rules
to be removed.
Enable an audit context for system calls related to file content modification. De-
pending on the hardware architecture of your system, enable or disable the *64
rules. 64-bit systems, like x86_64 and ia64, require the *64 rules to be removed.
Enable an audit context for any directory operation, like creating or removing a
directory.
Enable an audit context for any linking operation, such as symlink, link, unlink,
or rename.
Enable an audit context for any operation related to extended file system attributes.
Enable an audit context for the mknod system call, which creates special (device)
files.
Enable an audit context for any mount or umount operation. For the x64_64 archi-
tecture, disable the umount rule. For the ia64 architecture, disable the umount2
rule.
32.4 Monitoring Security
Configuration Files and
Databases
To make sure that your system is not made to do undesired things, track any attempts
to change the cron and at configurations or the lists of scheduled jobs. Tracking any
write access to the user, group, password and login databases and logs helps you iden-
tify any attempts to manipulate your system's user database.
Tracking changes to your system configuration (kernel, services, time, etc.) helps you
spot any attempts of others to manipulate essential functionality of your system. Changes
to the PAM configuration should also be monitored in a secure environment, because
changes in the authentication stack should not be made by anyone other than the admin-
istrator and it should be logged which applications are using PAM and how it is used.
Introducing an Audit Rule Set 387