Linux Audit Quick Start

SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server

Linux audit allows you to comprehensively log and track access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions. By creating a sophisticated set of rules including file watches and system call auditing, you can make sure that any violation of your security policies is noted and properly addressed.

To set up Linux audit on your system, proceed as follows:

  1. Stop the default audit daemon with the rcauditd stop command.

  2. Adjust the system configuration for audit and enable audit.

  3. Configure the audit daemon.

  4. Determine which system components to audit and set up audit rules.

  5. Optionally configure plug-in applications you intend to use with the audit dispatcher.

  6. Start the audit daemon after you have completed the configuration of the audit system using the rcauditd start command.

  7. Determine which reports to run and configure these reports.

  8. Analyze the audit logs and reports.

  9. (Optional) Analyze individual system calls with autrace.

IMPORTANT: Users Entitled to Work with Audit

The audit tools, configuration files, and logs are only available to root. This protects audit from ordinary users of the system. To manipulate any aspect of audit, you must be logged in as root.