Audit services under Linux

Audit ['?? D?T] Audits

AUDITD is an audit service for Linux.

This is a man's explanation.

AUDITD is the userspace component to the Linux Auditing System. It ' s
Responsible for writing audit records to the disk. Viewing the logs is
Done with the Ausearch or Aureport utilities. Configuring the Audit
Rules is do with the Auditctl utility. During startup, the rules in
/etc/audit/audit.rules is read by Auditctl. The audit daemon itself
has some configuration options, the admin may wish to customize.
They is found in the auditd.conf file.

The security audit contains two parts, one is: Audit audit service, the other is: Syslog log system.

Their relationship is as follows:

Audit services are designed to record security information for the traceability of system security incidents;

Syslog log system is used to record various information in the system, such as security, debugging, operation information, etc.

If the audit service is not running, the Linux kernel passes the security audit information to the Syslog log system.

Syslog records system status, such as hardware warnings and application software records. But syslog belongs to the application layer, and only to this application, there is no way to record too much information. Therefore, audit was born to replace the responsibility of the syslog, to record the core layer of time: The file read and write, system calls, the state of authority and so on.

Audit Daemon operates in the same way as General Deamon, and will introduce SELinux systems after operation.

Audit has three tools to operate

Audit three commands available:

= "Auditctl Control kernel Audit system, can get status, add or delete rules, set a file of [view]watch.

= "Ausearch is used to query audit logs tools.

= "Aureport a tool for generating audit system briefings.

Configuration file

Audit configuration file for/etc/audit/audit.rules is mainly divided into three categories:

• Basic Audit system parameters

File and Directory watches

System Call Audits

#basic Audit System Parameters

This is the overall global parameter setting for some audit

#file and Directory Watches

This is the set of directory permissions and whether you can view a directory or file

#system Call Audits

This is the rule configuration used for system invocation

There are a few things to note about configuration files:

1. Directory observations are less detailed than file observations.

2. Cannot use any of the pathname globbing, such as? Or

3. Only existing files can be configured, and if you configure the Watch directory and add files, the new files will only be added after the next audit restart.

Using-K to generate a key string for Ausearch direct indexing

-w/etc/var/log/audit/-K Log_audit

Action commands

Restart Audit

#service AUDITD Restart

Update AUDITD

#yum Update Audit

Check file and System change status

#aureport--start Today--event--summary-i

Querying a single file

#ausearch-F filename

Specifies the key string using the-ts specified date-K, where Password-file is generated using AUDITCTL-K.

#ausearch-ts today-k Password-file

#ausearch-ts 3/12/07-k Password-file

-ui to specify the user name (UID), for example, to find the operation (UID 516)

#ausearch-ts today-k password-file-x rm-ui 516

#ausearch-K Passwork-file-ui 516

Transferred from: http://note.tc.edu.tw/601.html

Audit services under Linux