Novell SUSE Linux Enterprise 11 Quick Start
Linux Audit Quick Start
SUSE Linux Enterprise 11 SP1
Linux audit allows you to comprehensively log and track any access to les, directories, or resources of your
system and trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions. By creating a sophisticated set of rules including le watches and system call auditing, you can make
sure that any violation of your security policies is noticed and properly addressed.
NOVELL® QUICK START CARD
To set up Linux audit on your system, proceed as follows:
1. Stop the audit daemon that is running by default with
the rcauditd stop command.
2. Adjust the system conguration for audit and enable
audit.
3. Congure the audit daemon.
4. Determine which system components to audit and set
up audit rules.
5. Start the audit daemon after you have completed the
conguration of the audit system using the rcauditd
start command.
6. Determine which reports to run and congure these
reports.
7. Analyze the audit logs and reports.
8. (Optional) Analyze individual system calls with autrace.
IMPORTANT: Users Entitled to Work
with Audit
The audit tools, conguration les, and logs are
only available to root. This protects audit from
ordinary users of the system. To manipulate any
aspect of audit, you must be logged in as root.
Enabling Audit
Your rst task enabling audit is to activate system call auditing, since system call auditing capabilities are needed even
when you are only conguring plain le or directory
watches:
Enabling System Call Auditing for One Session Only
Enable with auditctl -e 1 and disable with au-
ditctl -e 0. These settings are not persistent and do
not survive a reboot.
Enabling System Call Auditing Permanently
Permanently enable audit contexts for system calls by
changing AUDITD_DISABLE_CONTEXTS in /etc/
sysconfig/auditd from yes to no. To permanently
disable audit contexts for system calls, revert this setting
to yes. THis conguration will be applied with the next
start of the audit daemon.
Conguring Audit
The conguration of the audit daemon is contained in the
/etc/audit/auditd.conf conguration le. The default
settings as shipped with SUSE Linux Enterprise should be
sufcient for most setups.
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
1
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /usr/sbin/audispd
name_format = NONE
#name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
#tcp_listen_port =
tcp_listen_queue = 5
#tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
Most of the settings in this le concern the audit log les
and how the logging is done. The most important settings
all concern the actions the daemon should take when encountering certain critical conditions or errors (system low
on disk space, system out of disk space, or disk error) and
when to warn the administrator about these conditions.
These actions are customizable and range from a mere
warning in syslog to a complete halt of the system. For more
information about /etc/audit/auditd.conf, refer to
The Linux Audit Framework manual and the manual page
of auditd.conf (auditd.conf(8)).
Setting Up Audit Rules
Audit rules are used to specify which components of your
system are audited. There are three basic types of audit
rules:
• Basic audit system parameters
• File and directory watches
• System call audits
Before creating an audit rule set and before rolling it out
to your system, carefully determine which components to
audit. Extensive auditing causes a substantial logging load.
Make sure that your system provides enough disk space to
store large audit logs and test your audit rule set extensively
before rolling it out to a production system.
Audit rules can either be passed to the audit system by the
command line using auditctl or bundled into a rules le
located under /etc/audit/audit.rules that is read
during the start of the audit daemon:
# basic audit system parameters
-D
-b 8192
-f 1
-e 1
# some file and directory watches
-w /var/log/audit/
-w /etc/audit/auditd.conf -p rxwa
-w /etc/audit/audit.rules -p rxwa
-w /etc/passwd -p rwxa
-w /etc/sysconfig/
# an example system call rule
-a entry,always -S umask
The basic audit system parameters include a rule to delete
any preexisting rules (-D) to avoid clashes with the new
rules, a rule that sets the number of outstanding audit
buffers (-b), the failure ag (-f), and the enable ag (-e):
-b
Depending on the audit load of your system, increase
or decrease the number of outstanding audit buffers. If
there are no more buffers left, the kernel checks the
failure ag for action.
-f
The failure ag controls the kernel's reaction to critical
errors. Possible values are 0 (silent), 1 (printk, print a
failure message), and 2 (panic, bring the system
down—no clean shutdown and risk of data loss or corruption).
-e
If set to 1, this enables audit and audit contexts for system calls. Setting it to 2 does the same, but also locks
down the conguration. Set to 0, audit is disabled. This
ag is used to enable or disable audit temporarily.
File system watches can be added whenever you want to
track les or directories for unauthorized access. Typical
examples would include watching the audit conguration
and logs and user and security databases. Use permission
ltering to focus on those system calls requesting the permissions in which you are interested:
-w /etc/audit/audit.rules -p rxwa
The -p ag enables permission ltering. This example has
permission ltering turned on for read, write, execute, and
attribute change permissions.
Note the following limitations to le system watches:
• Directory watches produce less verbose logs than exact
le watches. When in need of detailed le-related
records, enable separate le watches for all les of interest.
2
Loading...