Commands to control the audit system can be invoked individually from the
shell using auditctl or batch read from a file using auditctl
-R
. This latter method is used by the init
scripts to load rules from the file
/etc/audit/audit.rules
after the audit daemon has
been started. The rules are executed in order from top to bottom. Each of
these rules would expand to a separate auditctl command. The syntax used
in the rules file is the same as that used for the auditctl command.
Changes made to the running audit system by executing auditctl on the
command line are not persistent across system restarts. For changes to
persist, add them to the /etc/audit/audit.rules
file
and, if they are not currently loaded into audit, restart the audit
system to load the modified rule set by using the rcauditd
restart command.
Specify the maximum number of outstanding audit buffers. Depending on the level of logging activity, you might need to adjust the number of buffers to avoid causing too heavy an audit load on your system. | |
Specify the failure flag to use. See Table 29.1, “Audit Status Flags” for possible values. | |
Specify the maximum number of messages per second that may be issued by the kernel. See Table 29.1, “Audit Status Flags” for details. | |
Enable or disable the audit subsystem. |
Using audit, you can track any kind of file system access to important files, configurations or resources. You can add watches on these and assign keys to each kind of watch for better identification in the logs.
Example 29.3. Example Audit Rules—File System Auditing
-w /etc/shadow-w /etc -p rx
-w /etc/passwd -k fk_passwd -p rwxa
The | |
This rule adds a watch to the | |
This rule adds a file watch to |
System call auditing lets you track your system's behavior on a level even below the application level. When designing these rules, consider that auditing a great many system calls may increase your system load and cause you to run out of disk space. Consider carefully which events need tracking and how they can be filtered to be even more specific.
This rule activates auditing for the mkdir system call. The
| |
This rule adds auditing to the access system call, but only if the
second argument of the system call ( | |
This rule adds an audit context to the IPC multiplexed system call. The
specific | |
This rule audits failed attempts to call open. | |
This rule is an example of a task rule (keyword:
| |
This last rule makes heavy use of filters. All filter options are
combined with a logical AND operator, meaning that this rule applies to
all tasks that carry the audit ID of |
![]() | Filtering System Call Arguments |
---|---|
For more details on filtering system call arguments, refer to Section 31.6, “Filtering System Call Arguments”. |
You can not only add rules to the audit system, but also remove them. Delete rules are used to purge the rule queue of rules that might potentially clash with those you want to add. There are different methods for deleting the entire rule set at once or for deleting system call rules or file and directory watches:
Clear the queue of audit rules and delete any preexisting rules. This
rule is used as the first rule in
| |
This rule deletes a system call rule. The | |
This rule tells audit to discard the rule with the directory watch on
|
To get an overview of which rules are currently in use in your audit
setup, run auditctl -l
. This command
displays all rules with one rule per line.
Example 29.6. Listing Rules with auditctl -l
LIST_RULES: exit,always watch=/etc perm=rx LIST_RULES: exit,always watch=/etc/passwd perm=rwxa key=fk_passwd LIST_RULES: exit,always watch=/etc/shadow perm=rwxa LIST_RULES: entry,always syscall=mkdir LIST_RULES: entry,always a1=4 (0x4) syscall=access LIST_RULES: exit,always a0=2 (0x2) syscall=ipc LIST_RULES: exit,always success!=0 syscall=open
![]() | Creating Filter Rules |
---|---|
You can build very sophisticated audit rules by using the various filter options. Refer to the auditctl(8) man page for more information about the options available for building audit filter rules, and audit rules in general. |