Contents
This chapter shows how to set up a simple audit scenario. Every step involved in configuring and enabling audit is explained in detail. After you have learned to set up audit, consider a real-world example scenario in Chapter 31, Introducing an Audit Rule Set.
To set up audit on openSUSE, you need to complete the following steps:
Procedure 30.1. Setting Up the Linux Audit Framework
Make sure that all required packages are installed:
audit
,
audit-libs
, and optionally
audit-libs-python
. To use the
log visualization as described in Section 30.6, “Configuring Log Visualization”,
install gnuplot
and
graphviz
from the
openSUSE media.
Determine the components to audit. Refer to Section 30.1, “Determining the Components to Audit” for details.
Check or modify the basic audit daemon configuration. Refer to Section 30.2, “Configuring the Audit Daemon” for details.
Enable auditing for system calls. Refer to Section 30.3, “Enabling Audit for System Calls” for details.
Compose audit rules to suit your scenario. Refer to Section 30.4, “Setting Up Audit Rules” for details.
Generate logs and configure tailor-made reports. Refer to Section 30.5, “Configuring Audit Reports” for details.
Configure optional log visualization. Refer to Section 30.6, “Configuring Log Visualization” for details.
![]() | Controlling the Audit Daemon |
---|---|
Before configuring any of the components of the audit system, make sure
that the audit daemon is not running by entering rcauditd
status as |
Before setting out to create your own audit configuration, determine to which degree you want to use it. Check the following general rules to determine which use case best applies to you and your requirements:
If you require a full security audit for CAPP/EAL certification, enable full audit for system calls and configure watches on various configuration files and directories, similar to the rule set featured in Chapter 31, Introducing an Audit Rule Set. Proceed to Section 30.3, “Enabling Audit for System Calls”.
If you require an occasional audit of a system call instead of a permanent audit for system calls, use autrace. Proceed to Section 30.3, “Enabling Audit for System Calls”.
If you require file and directory watches to track access to important or security-sensitive data, create a rule set matching these requirements. Enable audit as described in Section 30.3, “Enabling Audit for System Calls” and proceed to Section 30.4, “Setting Up Audit Rules”.