The Linux Audit Framework

The Linux audit framework as shipped with this version of SUSE Linux Enterprise provides a CAPP-compliant auditing system that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed and by whom.

Providing an audit framework is an important requirement for a CC-CAPP/EAL certification. Common Criteria (CC) for Information Technology Security Information is an international standard for independent security evaluations. Common Criteria helps customers judge the security level of any IT product they intend to deploy in mission-critical setups.

Common Criteria security evaluations have two sets of evaluation requirements, functional and assurance requirements. Functional requirements describe the security attributes of the product under evaluation and are summarized under the Controlled Access Protection Profiles (CAPP). Assurance requirements are summarized under the Evaluation Assurance Level (EAL). EAL describes any activities that must take place for the evaluators to be confident that security attributes are present, effective, and implemented. Examples for activities of this kind include documenting the developers' search for security vulnerabilities, the patch process, and testing.

This guide provides a basic understanding of how audit works and how it can be set up. For more information about Common Criteria itself, refer to the Common Criteria Web site.

This guide contains the following:

Understanding Linux Audit

Get to know the different components of the Linux audit framework and how they interact with each other. Refer to this chapter for detailed background information.

Setting Up the Linux Audit Framework

Follow the instructions to set up an example audit configuration from start to finish. If you need a quick start document to get you started with audit, this chapter is it. If you need background information about audit, refer to Section 1.0, Understanding Linux Audit and Section 3.0, Introducing an Audit Rule Set.

Introducing an Audit Rule Set

Learn how to create an audit rule set that matches your needs by analyzing an example rule set.

Useful Resources

Check additional online and system information resources for more details on audit.