Contents
The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP).
The example rule set is divided into the following sections:
Basic audit configuration (see Section 31.1, “Adding Basic Audit Configuration Parameters”)
Watches on audit log files and configuration files (see Section 31.2, “Adding Watches on Audit Log Files and Configuration Files”)
Monitoring operations on file system objects (see Section 31.3, “Monitoring File System Objects”)
Monitoring security databases (see Section 31.4, “Monitoring Security Configuration Files and Databases”)
Monitoring miscellaneous system calls (Section 31.5, “Monitoring Miscellaneous System Calls”)
Filtering system call arguments (see Section 31.6, “Filtering System Call Arguments”)
To transform this example into a configuration file to use in your live setup, proceed as follows:
Choose the appropriate settings for your setup and adjust them.
Adjust the file /etc/audit/audit.rules
by adding
rules from the examples below or by modifying existing rules.
![]() | Adjusting the Level of Audit Logging |
---|---|
Do not copy the example below into your audit setup without adjusting it to your needs. Determine what and to what extent to audit. |
The entire audit.rules
is just a collection of
auditctl commands. Every line in this file expands to a
full auditctl command line. The syntax used in the rule
set is the same as that of the auditctl command.
-D-b 8192
-f 2
Delete any preexisting rules before starting to define new ones. | |
Set the number of buffers to take the audit messages. Depending on the level of audit logging on your system, increase or decrease this figure. | |
Set the failure flag to use when the kernel needs to handle critical
errors. Possible values are |
By emptying the rule queue with the -D
option, you make
sure that audit does not use any other rule set than what you are
offering it by means of this file. Choosing an appropriate buffer number
(-b
) is vital to avoid having your system fail because
of too high an audit load. Choosing the panic failure flag -f
2
ensures that your audit records are complete even if the
system is encountering critical errors. By shutting down the system on a
critical error, audit makes sure that no process escapes from its control
as it otherwise might if level 1 (printk
) were chosen.
![]() | Choosing the Failure Flag |
---|---|
Before using your audit rule set on a live system, make sure that the
setup has been thoroughly evaluated on test systems using the
worst case production workload. It is even more
critical that you do this when specifying the |