User manual NOVELL LINUX ENTERPRISE 10 SP1 LINUX AUDIT QUICK GUIDE

[. . . ] Audit allows you to consistently track a user's actions from login right through logout no matter which identities this user might adopt by using audit IDs that are created upon login and handed down to any child process of the original login process. Modify the PAM configuration of several components (login, sshd, gdm, crond, and atd). Open the PAM configuration for each application (/etc/pam . d/application) and add the following line before the common-session line: session required session include pam_loginuid. so common-session IMPORTANT: Users Entitled to Work with Audit The audit tools, configuration files, and logs are only available to root. This protects audit from ordinary users of the system. [. . . ] · Pathname globbing of any kind is not supported by audit. · Auditing can only be performed on existing files. Any files added while the audit daemon is already running are ignored until the audit rule set is updated to watch the new files. Assigning keys to your audit rules helps you to identify any records related to this rule in the logs. An example rule plus key: -w /etc/var/log/audit/ -k LOG_audit The -k option attaches a text string to any event that is recorded in the logs due to this rule. Using the ausearch log analyzer, you can easily identify any events related to this particular rule. A sample system call audit rule could look like the following: -a entry, always -S umask This adds the rule to the system call entry list (-a) and logs an event whenever this system call is used (entry, always). The -S option precedes the actual system call, umask in this example. Using -F, you could add optional filtering to this rule. For more information about audit rules, refer to The Linux Audit Framework and the manual page of auditctl (auditctl(8)). detailed information about any of the event categories listed, run individual reports for the event type. aureport --success Run this report to get statistics of successful events on your system. This report includes the same event categories as the summary report. To get detailed information for a particular event type, run the individual report adding the --success option to filter for successful events of this type, for example, aureport -f -success to display all successful file-related events. aureport --failed Run this report to get statistics of failed events on your system. This report includes the same event categories as the summary report. To get detailed information for a particular event type, run the individual report adding the --failed option to filter for failed events of this type, such as aureport -f --failed to display all failed file-related events. aureport -l Run this command to generate a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, name of the executable, success or failure of the attempt, and an event ID. aureport -p Run this report to generate a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number. aureport -f Run this report to generate a numbered list of all filerelated events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number. [. . . ] Invoking ausearch -m without a message type displays a list of all message types. ausearch -f filename Run this search to find records containing a certain filename. For example, run ausearch -f /foo/bar for all records related to the /foo/bar file. Using the filename alone would work as well, but using relative paths would not. [. . . ]