User manual NOVELL LINUX ENTERPRISE 10 SP1 LINUX AUDIT QUICK GUIDE

[. . . ] Because you need system call auditing capabilities even when you are configuring plain file or directory watches, enable audit contexts for system calls: Enabling System Call Auditing for One Session Only Enable with auditctl -e 1 and disable with auditctl -e 0. These settings are not persistent and do not survive a reboot. Enabling Audit Your first tasks enabling audit are: 1 Enabling System Call Auditing Permanently Permanently enable audit contexts for system calls by changing AUDITD_DISABLE_CONTEXTS in /etc/ sysconfig/auditd from yes to no. To permanently disable audit contexts for system calls, revert this setting to yes. Restart the audit daemon to apply the new configuration with rcauditd start. Make sure that your system provides enough disk space to store large audit logs and test your audit rule set extensively before rolling it out to a production system. [. . . ] When in need of detailed file-related records, enable separate file watches for all files of interest. Any files added while the audit daemon is already running are ignored until the audit rule set is updated to watch the new files. Assigning keys to your audit rules helps you to identify any records related to this rule in the logs. An example rule plus key: -w /etc/var/log/audit/ -k LOG_audit The -k option attaches a text string to any event that is recorded in the logs due to this rule. Using the ausearch log analyzer, you can easily identify any events related to this particular rule. A sample system call audit rule could look like the following: -a entry, always -S umask This adds the rule to the system call entry list (-a) and logs an event whenever this system call is used (entry, always). For more information about audit rules, refer to The Linux Audit Framework and the manual page of auditctl (auditctl(8)). detailed information about any of the event categories listed, run individual reports for the event type. aureport --success Run this report to get statistics of successful events on your system. To get detailed information for a particular event type, run the individual report adding the --success option to filter for successful events of this type, for example, aureport -f -success to display all successful file-related events. aureport --failed Run this report to get statistics of failed events on your system. To get detailed information for a particular event type, run the individual report adding the --failed option to filter for failed events of this type, such as aureport -f --failed to display all failed file-related events. aureport -l Run this command to generate a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, name of the executable, success or failure of the attempt, and an event ID. aureport -p Run this report to generate a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number. aureport -f Run this report to generate a numbered list of all filerelated events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number. aureport -u Run this report to find out which users are running what executables on your system. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID. Use the -ts and -te (for start time and end time) options with any of the above commands to limit your reports to a certain time frame. Use the -i option with any of these commands to transform numeric entities to human-readable text. The following command creates a file report for the time between 8 am and 5:30 pm on the current day and converts numeric entries to text. [. . . ] Invoking ausearch -m without a message type displays a list of all message types. ausearch -f filename Run this search to find records containing a certain filename. For example, run ausearch -f /foo/bar for all records related to the /foo/bar file. Using the filename alone would work as well, but using relative paths would not. [. . . ]