User manual NOVELL LINUX ENTERPRISE SERVER 11 SP1 LINUX AUDIT QUICK START

[. . . ] Enabling System Call Auditing Permanently Permanently enable audit contexts for system calls by changing AUDITD_DISABLE_CONTEXTS in /etc/ sysconfig/auditd from yes to no. To permanently disable audit contexts for system calls, revert this setting to yes. THis configuration will be applied with the next start of the audit daemon. IMPORTANT: Users Entitled to Work with Audit The audit tools, configuration files, and logs are only available to root. This protects audit from ordinary users of the system. [. . . ] Using -F, you could add optional filtering to this rule. For more information about audit rules, refer to The Linux Audit Framework and the manual page of auditctl (auditctl(8)). aureport --failed Run this report to get statistics of failed events on your system. This report includes the same event categories as the summary report. To get detailed information for a particular event type, run the individual report adding the --failed option to filter for failed events of this type, such as aureport -f --failed to display all failed file-related events. aureport -l Run this command to generate a numbered list of all login-related events. The report includes date, time, audit ID, host and terminal used, name of the executable, success or failure of the attempt, and an event ID. aureport -p Run this report to generate a numbered list of all process-related events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number. aureport -f Run this report to generate a numbered list of all filerelated events. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID and event number. aureport -u Run this report to find out which users are running what executables on your system. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID. Use the -ts and -te (for start time and end time) options with any of the above commands to limit your reports to a certain time frame. Use the -i option with any of these commands to transform numeric entities to human-readable text. The following command creates a file report for the time between 8 am and 5:30 pm on the current day and converts numeric entries to text. aureport -ts 8:00 -te 17:30 -f -i Generating Reports Every audit event is recorded in the audit log, /var/log/ audit/audit. log. To avoid having to read the raw audit log, configure custom audit reports with aureport and run them regularly. Use the aureport tool to create various types of reports filtering for different fields of the audit records in the log. The output of any aureport command is printed in column format and can easily be piped to other commands for further processing. Because the aureport commands are scriptable, you can easily create custom report scripts to run at certain intervals to gather the audit information for you. aureport --summary Run this report to get a rough overview of the current audit statistics (events, logins, processes, etc. ). To get detailed information about any of the event categories listed, run individual reports for the event type. [. . . ] That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www. novell. com/company/ legal/trademarks/tmlist. html. Linux* is a registered trademark of Linus Torvalds. [. . . ]