Setting Up the Linux Audit Framework

Contents

30.1. Determining the Components to Audit
30.2. Configuring the Audit Daemon
30.3. Enabling Audit for System Calls
30.4. Setting Up Audit Rules
30.5. Configuring Audit Reports
30.6. Configuring Log Visualization

This chapter shows how to set up a simple audit scenario. Every step involved in configuring and enabling audit is explained in detail. After you have learned to set up audit, consider a real-world example scenario in Chapter 31, Introducing an Audit Rule Set.

To set up audit on openSUSE, you need to complete the following steps:

Procedure 30.1. Setting Up the Linux Audit Framework

  1. Make sure that all required packages are installed: audit, audit-libs, and optionally audit-libs-python. To use the log visualization as described in Section 30.6, “Configuring Log Visualization”, install gnuplot and graphviz from the openSUSE media.

  2. Determine the components to audit. Refer to Section 30.1, “Determining the Components to Audit” for details.

  3. Check or modify the basic audit daemon configuration. Refer to Section 30.2, “Configuring the Audit Daemon” for details.

  4. Enable auditing for system calls. Refer to Section 30.3, “Enabling Audit for System Calls” for details.

  5. Compose audit rules to suit your scenario. Refer to Section 30.4, “Setting Up Audit Rules” for details.

  6. Generate logs and configure tailor-made reports. Refer to Section 30.5, “Configuring Audit Reports” for details.

  7. Configure optional log visualization. Refer to Section 30.6, “Configuring Log Visualization” for details.

[Important]Controlling the Audit Daemon

Before configuring any of the components of the audit system, make sure that the audit daemon is not running by entering rcauditd status as root. On a default openSUSE system, audit is started on boot, so you need to turn it off by entering rcauditd stop. Start the daemon after configuring it with rcauditd start.

Determining the Components to Audit

Before setting out to create your own audit configuration, determine to which degree you want to use it. Check the following general rules to determine which use case best applies to you and your requirements: