Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 403
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 11 - SECURITY:
- Installation (5 pages) ,
- Administration manual (452 pages)
Table of Contents
Advertisement
Example 30.3 Example Audit Rules—File System Auditing
-w /etc/shadow
-w /etc -p rx
-w /etc/passwd -k fk_passwd -p rwxa
The -w option tells audit to add a watch to the file specified, in this case /etc/
shadow. All system calls requesting access permissions to this file are analyzed.
This rule adds a watch to the /etc directory and applies permission filtering for
read and execute access to this directory (-p wx). Any system call requesting
any of these two permissions is analyzed. Only the creation of new files and the
deletion of existing ones are logged as directory-related events. To get more spe-
cific events for files located under this particular directory, you should add a sep-
arate rule for each file. A file must exist before you add a rule containing a watch
on it. Auditing files as they are created is not supported.
This rule adds a file watch to /etc/passwd. Permission filtering is applied for
read, write, execute, and attribute change permissions. The -k option allows you
to specify a key to use to filter the audit logs for this particular event later (e.g.
with ausearch). You may use the same key on different rules in order to be
able to group rules when searching for them. It is also possible to apply multiple
keys to a rule.
System call auditing lets you track your system's behavior on a level even below the
application level. When designing these rules, consider that auditing a great many system
calls may increase your system load and cause you to run out of disk space due. Con-
sider carefully which events need tracking and how they can be filtered to be even more
specific.
Example 30.4 Example Audit Rules—System Call Auditing
-a entry,always -S mkdir
-a entry,always -S access -F a1=4
-a exit,always -S ipc -F a0=2
-a exit,always -S open -F success!=0
-a task,always -F auid=0
-a task,always -F uid=0 -F auid=501 -F gid=wheel
This rule activates auditing for the mkdir system call. The -a option adds system
call rules. This rule triggers an event whenever the mkdir system call is entered
(entry, always). The -S option adds the system call to which this rule should
be applied.
Understanding Linux Audit
389
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
Related Products for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
- NOVELL LINUX ENTERPRISE DESKTOP 10 - IPRINT CLIENT
- NOVELL LINUX ENTERPRISE DESKTOP 11 - OPENOFFICE
- NOVELL LINUX ENTERPRISE SERVER 10 - STORAGE ADMINISTRATION GUIDE FOR EVMS
- NOVELL LINUX ENTERPRISE SERVER 11 - STORAGE ADMINISTRATION GUIDE 2-23-2010
- NOVELL LINUX ENTERPRISE SERVER 11 - DEPLOYMENT
- NOVELL LINUX ENTERPRISE SERVER 11 - VIRTUALIZATION
- NOVELL LINUX ENTERPRISE SERVER STARTER SYSTEM
- NOVELL LINUX ENTERPRISE DESKTOP 10
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - VIRTUALIZATION WITH XEN
- Novell eBook Reader
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE
- NOVELL LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE 17-03-2009
- Novell 3.6 05-2008
Need help?
Do you have a question about the LINUX ENTERPRISE SERVER 11 - SECURITY and is the answer not in the manual?