Home
admin
|
System Auditing October 18th, 2016 |
||||||||||
Présentation générale Use Cases Defining File System Rules Defining System Call Rules
The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux. Source : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html
 Watching file access
Monitoring system calls
Recording commands run by a user
Recording security events
Searching for events
Running summary reports
Monitoring network access
To define a file system rule, use the following syntax: auditctl -w path_to_file -p permissions -k key_name where: path_to_file is the file or directory that is audited. permissions are the permissions that are logged: r read access to a file or a directory. w write access to a file or a directory. x execute access to a file or a directory. a change in the file's or directory's attribute. key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
To define a system call rule, use the following syntax: auditctl -a action,filter -S system_call -F field=value -k key_name where: action and filter specify when a certain event is logged. action can be either always or never. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following: task, exit, user, and exclude. For more information about these filters, see the beginning of Section 7.1, Audit System Architecture.
system_call specifies the system call by its name. A list of all system calls can be found in the /usr/include/asm/unistd_64.h file. Several system calls can be grouped into one rule, each specified after the -S option.
field=value specifies additional options that furthermore modify the rule to match events based on a specified architecture, group ID, process ID, and others. For a full listing of all available field types and their values, see the auditctl(8) man page.
key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.
|
| Dernières modifs |
|---|
| Divers (October 18th, 2016) ElasticSearch (October 18th, 2016) Les portables et leurs batteries (October 18th, 2016) Munin (October 18th, 2016) Nagios (October 18th, 2016) OpenManage (October 18th, 2016) Rkhunter (October 18th, 2016) |
| Contact | ||
|---|---|---|
| Pour m'envoyer un mail, Pour me laisser un commentaire :
|
