Linux LINUX ENTERPRISE DESKTOP 10 SP1

SUSE Linux Enterprise

www.novell.com10 SP1

May08,2008 The Linux Audit Framework

The Linux Audit Framework

Legal Notice

This manual is protected under Novell intellectual property rights. By reproducing, duplicating or

distributing this manual you explicitly agree to conform to the terms and conditions of this license

agreement.

This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled

package in electronic and/or printed format, provided however that the following conditions are ful-

lled:

That this copyright notice and the names of authors and contributors appear clearly and distinctively

on all reproduced, duplicated and distributed copies. That this manual, specically for the printed

format, is reproduced and/or distributed for noncommercial use only. The express authorization of

Novell, Inc must be obtained prior to any other use of any manual or part thereof.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell

.com/company/legal/trademarks/tmlist.html. * Linux is a registered trademark of

Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark

symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this

does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors,

nor the translators shall be held liable for possible errors or the consequences thereof.

Contents

About This Guide v

1Understanding Linux Audit 1

1.1 Introducing the Components of Linux Audit . . . . . . . . . . . . . . 3

1.2 Conguring the Audit Daemon . . . . . . . . . . . . . . . . . . . . 5

1.3 Controlling the Audit System Using auditctl . . . . . . . . . . . . . . 10

1.4 Passing Parameters to the Audit System . . . . . . . . . . . . . . . 11

1.5 Understanding the Audit Logs and Generating Reports . . . . . . . . . 15

1.6 Querying the Audit Daemon Logs with ausearch . . . . . . . . . . . . 27

1.7 Analyzing Processes with autrace . . . . . . . . . . . . . . . . . . 31

1.8 Visualizing Audit Data . . . . . . . . . . . . . . . . . . . . . . . 32

2Setting Up the Linux Audit Framework 35

2.1 Determining the Components to Audit . . . . . . . . . . . . . . . 36

2.2 Conguring the Audit Daemon . . . . . . . . . . . . . . . . . . . 37

2.3 Enabling Audit for System Calls . . . . . . . . . . . . . . . . . . . 38

2.4 Setting Up Audit Rules . . . . . . . . . . . . . . . . . . . . . . . 39

2.5 Adjusting the PAM Conguration . . . . . . . . . . . . . . . . . . 40

2.6 Conguring Audit Reports . . . . . . . . . . . . . . . . . . . . . 41

2.7 Conguring Log Visualization . . . . . . . . . . . . . . . . . . . . 44

3Introducing an Audit Rule Set 47

3.1 Adding Basic Audit Conguration Parameters . . . . . . . . . . . . . 48

3.2 Adding Watches on Audit Log Files and Conguration Files . . . . . . . 49

3.3 Monitoring File System Objects . . . . . . . . . . . . . . . . . . . 50

3.4 Monitoring Security Conguration Files and Databases . . . . . . . . . 51

3.5 Monitoring Miscellaneous System Calls . . . . . . . . . . . . . . . . 54

3.6 Filtering System Call Arguments . . . . . . . . . . . . . . . . . . . 54

3.7 Managing Audit Event Records Using Keys . . . . . . . . . . . . . . 57

4Useful Resources 59

ACreating Flow Graphs from the Audit Statistics 61

BCreating Bar Charts from the Audit Statistics 65

About This Guide

The Linux audit framework as shipped with this version of SUSE Linux Enterprise

provides a CAPP-compliant auditing system that reliably collects information about

any security-relevant events. The audit records can be examined to determine whether

any violation of the security policies has been committed and by whom.

Providing an audit framework is an important requirement for a CC-CAPP/EAL certi-

cation. Common Criteria (CC) for Information Technology Security Information is

an international standard for independent security evaluations. Common Criteria helps

customers judge the security level of any IT product they intend to deploy in mission-

critical setups.

Common Criteria security evaluations have two sets of evaluation requirements, func-

tional and assurance requirements. Functional requirements describe the security at-

tributes of the product under evaluation and are summarized under the Controlled Access

Protection Proles (CAPP). Assurance requirements are summarized under the Evalu-

ation Assurance Level (EAL). EAL describes any activities that must take place for the

evaluators to be condent that security attributes are present, effective, and implemented.

Examples for activities of this kind include documenting the developers' search for se-

curity vulnerabilities, the patch process, and testing.

This guide provides a basic understanding of how audit works and how it can be set

up. For more information about Common Criteria itself, refer to the Common Criteria

Web site [http://www.commoncriteria-portal.org].

This guide contains the following:

Understanding Linux Audit

Get to know the different components of the Linux audit framework and how they

interact with each other. Refer to this chapter for detailed background information.

Setting Up the Linux Audit Framework

Follow the instructions to set up an example audit conguration from start to nish.

If you need a quick start document to get you started with audit, this chapter is it.

If you need background information about audit, refer to Chapter 1, Understanding

Linux Audit (page 1) and Chapter 3, Introducing an Audit Rule Set (page 47).

Introducing an Audit Rule Set

Learn how to create an audit rule set that matches your needs by analyzing an ex-

ample rule set.

Useful Resources

Check additional online and system information resources for more details on audit.

1 Feedback

We want to hear your comments and suggestions about this manual and the other doc-

umentation included with this product. Please use the User Comments feature at the

bottom of each page of the online documentation and enter your comments there.

2 Documentation Updates

For the latest version of this documentation, see the SLES 10 SP1 doc Web site

[http://www.novell.com/documentation/sles10].

3 Documentation Conventions

The following typographical conventions are used in this manual:

•/etc/passwd: lenames and directory names

•placeholder: replace placeholder with the actual value

•PATH: the environment variable PATH

•ls,--help: commands, options, and parameters

•user: users or groups

•Alt,Alt +F1: a key to press or a key combination; keys are shown in uppercase as

on a keyboard

•File,File >Save As: menu items, buttons

vi The Linux Audit Framework

•►amd64 ipf: This paragraph is only relevant for the specied architectures. The

arrows mark the beginning and the end of the text block.◄

►ipseries s390 zseries: This paragraph is only relevant for the specied architec-

tures. The arrows mark the beginning and the end of the text block.◄

•Dancing Penguins (Chapter Penguins, ↑Another Manual): This is a reference to a

chapter in another manual.

About This Guide vii

Understanding Linux Audit

Linux audit helps make your system more secure by providing you with a means to

analyze what is going on on your system in great detail. It does not, however, provide

additional security itself—it does not protect your system from code malfunctions or

any kind of exploits. Instead, Audit is useful for tracking these issues and helps you

take additional security measures, like Novell AppArmor, to prevent them.

Audit consists of several components, each contributing crucial functionality to the

overall framework. The audit kernel module intercepts the system calls and records the

relevant events. The auditd daemon writes the audit reports to disk. Various command

line utilities take care of displaying, querying, and archiving the audit trail.

Audit enables you to do the following:

Associate Users with Processes

Audit maps processes to the user ID that started them. This makes it possible for

the administrator or security ofcer to exactly trace which user owns which process

and is potentially doing malicious operations on the system.

IMPORTANT: Renaming User IDs

Audit does not handle the renaming of UIDs. Therefore avoid renaming

UIDs (for example, changing tux from uid=1001 to uid=2000) and

obsolete UIDs rather than renaming them. Otherwise you would need to

change auditctl data (audit rules) and would have problems retrieving old

data correctly.

Understanding Linux Audit 1

Review the Audit Trail

Linux audit provides tools that write the audit reports to disk and translate them

into human readable format.

Review Particular Audit Events

Audit provides a utility that allows you to lter the audit reports for certain events

of interest. You can lter for:

• User

• Group

• Audit ID

• Remote Hostname

• Remote Host Address

• System Call

• System Call Arguments

• File

• File Operations

• Success or Failure

Apply a Selective Audit

Audit provides the means to lter the audit reports for events of interest and also

to tune audit to record only selected events. You can create your own set of rules

and have the audit daemon record only those of interest to you.

Guarantee the Availability of the Report Data

Audit reports are owned by root and therefore only removable by root. Unau-

thorized users cannot remove the audit logs.

Prevent Audit Data Loss

If the kernel runs out of memory, the audit daemon's backlog is exceeded, or its

rate limit is exceeded, audit can trigger a shutdown of the system to keep events

from escaping audit's control. This shutdown would be an immediate halt of the

system triggered by the audit kernel component without any syncing of the latest

2The Linux Audit Framework

Otros manuales para LINUX ENTERPRISE DESKTOP 10 SP1 -

Tabla de contenidos

Otros manuales de Software de Linux

Linux

Linux Pocket Linux Guide Manual de usuario

Linux

Linux LINUX ENTERPRISE DESKTOP 10 SP1 - Manual de usuario

Manuales populares de Software de otras marcas

COMPRO

COMPRO COMPROFM Manual de usuario

Muratec

Muratec OFFICEBRIDGE ONLINE Manual de usuario

Oracle

Oracle Contact Center Anywhere 8.1 Manual de usuario

Adobe

Adobe 65007312 - Photoshop Lightroom Manual

Avaya

Avaya NULL One-X for RIM Blackberry Manual de usuario

HP ProLiant BL420c Manual de usuario

PS Audio

PS Audio PowerPlay Manual del propietario

Brady

Brady LOCKOUT PRO 3.0 Manual de servicio

Avaya

Avaya Interaction Center Manual de usuario

Texas Instruments

Texas Instruments TI-83 Plus Silver Edition Manual

Novell

Novell GROUPWISE 8 - INTERNET AGENT Manual de usuario

Oracle

Oracle Application 9i Manual de usuario

Acer

Acer RDM Manual de usuario

Canon

Canon Vixia HF21 Manual de usuario

Canon

Canon ZR950 Manual de usuario

Samsung

Samsung Auto Backup Manual de usuario

Polycom

Polycom Vortex EF2201 Instrucciones de instalación y funcionamiento

Brocade Communications Systems

Brocade Communications Systems Brocade 8/12c Manual de usuario