[ale] Setting up Audit

Tim Meanor timothy at meanor.net
Thu Mar 22 19:38:28 EDT 2007 

aucat and augrep are the commands you need to look at the audit logs.

A few other pointers regarding audit: Look at /etc/audit/filter.conf  
and set up the syscalls that you are interested in logging.  Also, be  
sure to look closely at /etc/audit/audit.conf.  By default, audit  
keeps 4 20MB binary log files - bin.1, bin.2, bin.3, and bin.4.  (To  
see which one is being used, ls -l /var/log/audit).  After a log  
fills up, audit starts using the next one.  Once it gets to bin.4 and  
fills that up, Be careful - over time, /var/log/audit.d fills up with  
these 20 MB save.x files, eventually filling up /var.  With audit  
turned on and /var at 100%, audit won't be able to write any more log  
events, so anything that would cause a log event to be written will  
hang!   You won't be able to ssh into the system, for example.  Not  
fun.  Keep those save.x files under control, or edit /etc/audit/ 
audit.conf and configure it to put the log files on a different  
filesystem, or something like that.

-Tim

On Mar 22, 2007, at 5:04 PM, Naylor, Jim wrote:

> Hello All,
> I need to turn on auditing on a Redhat Enterprise Linux system in  
> order to be PCI compliant.  If I am correct, this will give me  
> information on what command users are executing/editing etc.  I  
> have found that I can start the auditd by executing /etc/init.d/ 
> audit start and it creates audit logs in /var/log/audit called bin. 
> 0, bin.1, etc.  What I cannot seem to find is how to extract this  
> data.  I found something about aureport but I cannot seem to find  
> this command on my system.  Is anyone aware of any white papers on  
> how to setup auditing and generate reports?  Your assistance is  
> greatly appreciated.
>
> Thanks,
> Jim Naylor
> Unix/Storage Systems Administrator
> Schnuck Markets, Inc.
> *  Direct (314) 994-4784
> ))(  Cell    (314) 691-0186
>       Fax     (314) 994-4684
> *  E-Mail  jnaylor at schnucks.com
>
> ______________________________________________________________________
> The information transmitted (including attachments) is covered by  
> the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is  
> intended only for the person(s) or entity/entities to which it is  
> addressed and may contain confidential and/or privileged material.   
> Any review, retransmission, dissemination or other use of, or  
> taking of any action in reliance upon, this information by persons  
> or entities other than the intended recipient(s) is prohibited.  If  
> you received this in error, please contact the sender and delete  
> the material from any computer.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list