VERY basic question
Steve Grubb
sgrubb at redhat.com
Tue Feb 11 13:57:07 UTC 2014
On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote:
> In a standalone system:
>
> How in the world do I capture, create and save human readable reports and
> then clear audit logs.
aureport is a good starting point. As for what you want out of it...that would
depend on your security policy and threat model. For example, I put key labels
on all rules. So, the main thing I want to see is the key summary report so
that I have a general idea of what is going on with the system. Based on that,
I then look closer at events with certain keys. For others, its different. I
have seen in the past perl scripts that run several aureport commands and
formats it into a report. But there really isn't a consensus on what a
standard report would be.
> Which BASIC /var/log should every accidental sysad (like myself) be
> capturing?
>
> I know where to put the audit rules, but at this point, I'm just sort of
> following instructions for that without any real sense of understanding.
> The farthest I've gotten is -w means watch.
>
> If you guys would take a moment to ask such a rudimentary question, I might
> be able to move past go.
The audit.rules man page has some tips and pointers for rules and
investigations. There is also some documentation here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html
and other distributions have documentation you can look at as well. Try "linux
audit documentation" as a search to find more.
-Steve
More information about the Linux-audit
mailing list