6 Generate logs and configure tailor-made reports. Refer to
7 Configure optional log visualization. Refer to
IMPORTANT: Controlling the Audit Daemon
Before configuring any of the components of the audit system, make sure that
the audit daemon is not running by entering rcauditd status as root.
On a default SUSE Linux Enterprise Server system, audit is started on boot, so
you need to turn it off by entering rcauditd stop. Start the daemon after
configuring it with rcauditd start.
31.1 Determining the Components to
Before setting out to create your own audit configuration, determine to which degree
you want to use it. Check the following rules of thumb to determine which use case
best applies to you and your requirements:
• If you require a full security audit for CAPP/EAL certification, enable full audit
for system calls and configure watches on various configuration files and directories,
similar to the rule set featured in
(page 423). Proceed to
• If you require an occasional audit of a system call instead of a permanent audit for
system calls, use autrace. Proceed to
Calls"
• If you require file and directory watches to track access to important or security-
sensitive data, create a rule set matching these requirements. Enable audit as de-
scribed in
to
412
Security Guide
uring Audit Reports"
Visualization"
(page 420) for details.
Audit
Section 31.3, "Enabling Audit for System Calls"
(page 414).
Section 31.3, "Enabling Audit for System Calls"
Section 31.4, "Setting Up Audit Rules"
(page 417) for details.
Chapter 32, Introducing an Audit Rule Set
Section 31.3, "Enabling Audit for System
(page 415).
Section 31.5, "Config-
Section 31.6, "Configuring Log
(page 414) and proceed
(page 414).
Need help?
Do you have a question about the LINUX ENTERPRISE SERVER 11 - SECURITY and is the answer not in the manual?
Questions and answers