Configure Linux audit framework

Use the following procedure to configure the Linux audit framework. The Linux audit framework is disabled by default.

  1. Connect to the console. See Connect to the console for more information.
  2. The Appliance Console Menu is displayed.
  3. On the Appliance Console Menu, type H, Hardening & Security.
  4. On the Hardening & Security menu, type L, Linux Audit Framework.
  5. On the Linux Audit Framework menu, type L, Linux Audit Framework Configuration.
  6. If prompted, enable the Audit daemon.
  7. The Linux Audit Framework Configuration page displays. On this screen, you use Alt+<key> combinations to choose highlighted options. For example, Alt+I takes you to the Log File path where you can type in the file path.
  8. Use the Tab key to cycle through the fields on the page. Specify values for each of the following fields as necessary:
  9. Field Description

    Dispatcher

    (TAB)

    The audit dispatcher can be used to send event notifications in addition to - or instead of - writing them to the audit log. In the Dispatcher window, type I to manually type in the file path and dispatcher program name, or type L to select the program on the computer.

    Disk space

    (TAB)

    Select and assign the disk space rules on the window that opens. Options include rules on what to do when disk space is starting to run low, when admin space is running low, and when the disk is full or there is an error.

    Rules for 'auditctl

    (TAB)

    Set the audit framework rules. For more information, see Configure audit framework rules.

    Log File

    Set the file path for the audit log file.

    Select File

    Opens a window from which the audit log file can be chosen.

    Format

    Set the audit log file format to one of these two options:

    • RAW - Information is stored as it is sent.
    • NOLOG - Information is not written to a file.

    Flush

    Set whether the audit log is written to disk, how, and how often. The options are:

    • NONE - The audit data will not be written to a file.
    • INCREMENTAL - The audit data will be written to the file in the increments specified.
    • DATA - Keeps the data part of the disk file in sync at all times.
    • SYNC - Includes both data and metadata.

    Frequency (Number of Records)

    Sets the number of records before the data is written to the audit log file.

    Max File Size

    Set the maximum file size, in megabytes, of the audit log.

    Maximum File Size Action

    Set the action to be performed when the audit log file size reaches the maximum.  Use the up and down arrow keys to make your selection.  The options are:

    • IGNORE - Ignore the maximum file size set and continue recording in the audit log file.
    • SYSLOG - Write to the system log.
    • SUSPEND - Stop recording in the audit log file.
    • ROTATE - Rotate between the different audit log files.
    • KEEP_LOGS - Save the audit log file and start another.

    Number of Log Files

    Set the number of log files to keep.

    Computer Name Format

    Set the format of the computer name to be used. Use the up and down arrow keys to make your selection. The options are:

    • None - No special computer name format.
    • Hostname - The hostname will be used.
    • FQD - The fully qualified domain name will be used.
    • User - The specified user-defined name will be used. Type E to specify the user-defined name.

    User Defined Name

    This field appears only when "User" is chosen for the Computer Name Format. Enter the user-defined name that will be used as the computer name format.

  10. Once each section of the Linux Audit Framework Configuration is set, type Alt+F, Finish, to complete the configuration.

For more information about any of the configuration options, press Alt+H to open online help.

Configure audit framework rules

By configuring the Linux audit framework rules, you can specify which system components are audited:

  • System calls
  • File and directory watches
  • Basic system parameters

Use the following procedure to access the Configuration of Linux Audit Framework (LAF) screen:

  1. Connect to the console. See Connect to the console for more information.
  2. The Appliance Console Menu is displayed.
  3. On the Appliance Console Menu, type H, Hardening & Security.
  4. On the Hardening & Security menu, type L, Linux Audit Framework.
  5. On the Hardening & Security menu, type L, Linux Audit Framework Configuration.
  6. On the Linux Audit Framework Configuration page, type T to access the rules screen.
  7. Use the Tab key to cycle through the fields on the page and the up and down arrows to view the information in the audit.rules box. Specify values for each of the following fields as necessary:
  8. Field Description

    Set Enabled Flag

    Set the enabled flag to one of these options:

    • Auditing enabled - Turns auditing on.
    • Auditing disabled - Turns auditing off.
    • Rules are locked (until next boot) - Locks the auditing rules until the next time the system is booted.

    audit.rules

    Edit the rules for the audit subsystem.

    Check Syntax

    Check the syntax of the audit rules for errors.

    Restore 'audit.rules'

    Reset the audit rules to the state before changes were made.

    Restore and Reset

    Restore and reset all settings to the state before changes were made.

    Load

    Load the modified audit rules.

Audit system parameters

The following audit system parameters can be used:

Parameter Description

-D

Deletes any preexisting rules to avoid problems with new rules.

-b

Sets the number of outstanding audit buffers. If no more buffers are available, the failure flag is checked for action.

-f

Sets the failure flag, which controls the reaction to critical errors. Value options:

  • 0 - Silent
  • 1 - Print a failure message (printk)
  • 2 - Shutdown the system (panic). There is a risk of data loss and corruption with this option.

-e

Sets the enable flag, which enables or temporarily disables the audit. Value options:

  • 0 - Disables the audit.
  • 1 - Enables the audit and the audit contexts for system calls.
  • 2 - Enables the audit and audit contexts and locks down the configuration.

-w

Sets a file system watch. Example: -w /etc/audit/audit.rules -p rxwa

-p

Sets permission filtering. In the example -w /etc/audit/audit.rules -p rxwa, permission filtering is turned on for read, write, execute, and attribute change.

-k

Attaches a text string to a recorded event. Example: -w /var/log/audit/ -k LOG_audit. This helps with searches using the ausearch log analyzer.

The above information was adapted from https://www.suse.com/.

Related Links