Red Hat Enterprise Linux 5 Administration Unleashed

CHAPTER 25Linux Auditing SystemThe 2.6 Linux kernel has the ability to log events such assystem calls and file access. These logs can then bereviewed by the administrator to determine possible securitybreaches such as failed login attempts or a user failingto access system files. This functionality, called the LinuxAuditing System, is available in Red Hat Enterprise Linux 5.IN THIS CHAPTER. Configuring the Audit Daemon. Writing Audit Rules andWatches. Starting and Stopping theDaemon. Analyzing the Records. Tracing a Process with AuditTo use the Linux Auditing System, use the following steps:1. Configure the audit daemon.2. Add audit rules and watches to collect desired data.3. Start the daemon, which enables the Linux AuditingSystem in the kernel and starts the logging.4. Periodically analyze data by generating audit reportsand searching the logs.This chapter discusses each of these steps in detail.Configuring the Audit DaemonThe Linux Auditing System in the kernel is turned off bydefault in Red Hat Enterprise Linux 5. When the auditdaemon is started, this kernel feature is enabled. To enablethe Linux Auditing System at startup without using thedaemon auditd, boot with the audit=1 parameter. If thisparameter is set to 1 and auditd is not running, the auditlogs are written to /var/log/messages.To use auditd and the utilities for generating log filereports, the audit RPM package must be installed. If it isnot installed, refer to Chapter 3, “Operating SystemUpdates,” for instructions on package installation.Using auditd allows the administrator to customize theaudit logs produced. The following are just some of thecustomizations available: