The translation is temporarily closed for contributions due to maintenance, please come back later.
The translation was automatically locked due to following alerts: Could not push the repository.
Context English Arabic
_ translator-credits
Introducing an Audit Rule Set
The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP).
The example rule set is divided into the following sections:
Basic audit configuration (see <xref linkend="sec.audit.scenbasic"/>)
Watches on audit log files and configuration files (see <xref linkend="sec.audit.scenauconf"/>)
Monitoring operations on file system objects (see <xref linkend="sec.audit.scenfs"/>)
Monitoring security databases (see <xref linkend="sec.audit.scensecurity"/>)
Monitoring miscellaneous system calls (<xref linkend="sec.audit.scenmisc"/>)
Filtering system call arguments (see <xref linkend="sec.audit.scenipc"/>)
To transform this example into a configuration file to use in your live setup, proceed as follows:
Choose the appropriate settings for your setup and adjust them.
Adjust the file <filename>/etc/audit/audit.rules</filename> by adding rules from the examples below or by modifying existing rules.
Adjusting the Level of Audit Logging
Do not copy the example below into your audit setup without adjusting it to your needs. Determine what and to what extent to audit.
The entire <filename>audit.rules</filename> is a collection of <command>auditctl</command> commands. Every line in this file expands to a full <command>auditctl</command> command line. The syntax used in the rule set is the same as that of the <command>auditctl</command> command.
Adding Basic Audit Configuration Parameters
-D<co xml:id="co.auctld"/>
-b 8192<co xml:id="co.auctlb"/>
-f 2<co xml:id="co.auctlf"/>
Delete any preexisting rules before starting to define new ones.
Set the number of buffers to take the audit messages. Depending on the level of audit logging on your system, increase or decrease this figure.