User manual NOVELL LINUX ENTERPRISE SERVER 11 SP1 LINUX AUDIT QUICK START

[. . . ] The default settings as shipped with SUSE Linux Enterprise should be sufficient for most setups. log_file = /var/log/audit/audit. log log_format = RAW log_group = root priority_boost = 4 1 flush = INCREMENTAL freq = 20 num_logs = 4 disp_qos = lossy dispatcher = /usr/sbin/audispd name_format = NONE #name = mydomain max_log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND #tcp_listen_port = tcp_listen_queue = 5 #tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 Most of the settings in this file concern the audit log files and how the logging is done. The most important settings all concern the actions the daemon should take when encountering certain critical conditions or errors (system low on disk space, system out of disk space, or disk error) and when to warn the administrator about these conditions. These actions are customizable and range from a mere warning in syslog to a complete halt of the system. [. . . ] aureport -l Run this command to generate a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, name of the executable, success or failure of the attempt, and an event ID. aureport -p Run this report to generate a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number. aureport -f Run this report to generate a numbered list of all filerelated events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number. aureport -u Run this report to find out which users are running what executables on your system. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID. Use the -ts and -te (for start time and end time) options with any of the above commands to limit your reports to a certain time frame. Use the -i option with any of these commands to transform numeric entities to human-readable text. The following command creates a file report for the time between 8 am and 5:30 pm on the current day and converts numeric entries to text. aureport -ts 8:00 -te 17:30 -f -i Generating Reports Every audit event is recorded in the audit log, /var/log/ audit/audit. log. To avoid having to read the raw audit log, configure custom audit reports with aureport and run them regularly. Use the aureport tool to create various types of reports filtering for different fields of the audit records in the log. The output of any aureport command is printed in column format and can easily be piped to other commands for further processing. Because the aureport commands are scriptable, you can easily create custom report scripts to run at certain intervals to gather the audit information for you. aureport --summary Run this report to get a rough overview of the current audit statistics (events, logins, processes, etc. ). To get detailed information about any of the event categories listed, run individual reports for the event type. aureport --success Run this report to get statistics of successful events on your system. To get detailed information for a particular event type, run the individual report adding the --success option to filter for successful events of this type, for example, aureport -f -success to display all successful file-related events. Analyzing Audit Log Files and Reports While aureport helps you generate custom reports focusing on a certain area, ausearch helps you to find the detailed log entry of individual events: ausearch -a audit_event_id Run this search to view all records carrying a particular audit event ID. Each audit event message is logged along with a message ID consisting of a UNIX epoch time stamp plus a unique event ID separated by a colon. All events that are logged from one application's system call have the same event ID. [. . . ] By reproducing, duplicating or distributing this manual you explicitly agree to conform to the terms and conditions of this license agreement. This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled package in electronic and/or printed format, provided however that the following conditions are fulfilled: That this copyright notice and the names of authors and contributors appear clearly and distinctively on all reproduced, duplicated and distributed copies. That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. [. . . ]