6.4 Configuring a Linux Auditing Subsystem

Auditing subsystems on SUSE, Red Hat, and Red Hat variants are very similar. There are some differences in configuration based on operating system and on architecture. For Red Hat 4 and SUSE 10, configure the audit daemon in the /etc/auditd.conf and /etc/auditd.rules files. For Red Hat 5, Red Hat 6, and SUSE 11, configure the audit daemon in the /etc/audit/auditd.conf and /etc/audit/auditd.rules files.

Perform the following steps to configure auditing on a Linux computer:

(Conditional) For Red Hat and variants of Red Hat, ensure that the auditd service is enable by running the chkconfig auditd on command.
(Conditional) For SUSE, ensure that the auditd service is enable by running the auditctl -e 1 command.

(Conditional) For computers that use a 32-bit architecture, add the following lines to the audit.rules file:

-a exit,always -F arch=b32 -S futimesat

-a exit,always -F arch=b32 -S unlinkat

-a exit,always -F arch=b32 -S fchownat

-a exit,always -F arch=b32 -S openat

-a exit,always -F arch=b32 -S exit

-a exit,always -F arch=b32 -S dup2

-a exit,always -F arch=b32 -S kill

-a exit,always -F arch=b32 -S rename

-a exit,always -F arch=b32 -S unlink

-a exit,always -F arch=b32 -S symlinkat

-a exit,always -F arch=b32 -S mount

-a exit,always -F arch=b32 -S fchmod

-a exit,always -F arch=b32 -S mknodat

-a exit,always -F arch=b32 -S execve

-a exit,always -F arch=b32 -S chown

-a exit,always -F arch=b32 -S open

-a exit,always -F arch=b32 -S exit_group

-a exit,always -F arch=b32 -S utime

-a exit,always -F arch=b32 -S adjtimex

-a exit,always -F arch=b32 -S chown32

-a exit,always -F arch=b32 -S renameat

-a exit,always -F arch=b32 -S close

-a exit,always -F arch=b32 -S creat

-a exit,always -F arch=b32 -S symlink

-a exit,always -F arch=b32 -S fchown

-a exit,always -F arch=b32 -S utimes

-a exit,always -F arch=b32 -S fchown32

-a exit,always -F arch=b32 -S link

-a exit,always -F arch=b32 -S settimeofday

-a exit,always -F arch=b32 -S fchmodat

-a exit,always -F arch=b32 -S lchown32

-a exit,always -F arch=b32 -S lchown

-a exit,always -F arch=b32 -S umount2

-a exit,always -F arch=b32 -S chmod

-a exit,always -F arch=b32 -S linkat

-a exit,always -F arch=b32 -S umount

-a exit,always -F arch=b32 -S fork

-a exit,always -F arch=b32 -S dup

-a exit,always -F arch=b32 -S mknod

-a exit,always -F arch=b32 -S vfork

(Conditional) For computers that use a 64-bit architecture, add the following lines to the audit.rules file:

-a exit,always -F arch=b64 -S futimesat

-a exit,always -F arch=b64 -S unlinkat

-a exit,always -F arch=b64 -S fchownat

-a exit,always -F arch=b64 -S openat

-a exit,always -F arch=b64 -S exit

-a exit,always -F arch=b64 -S dup2

-a exit,always -F arch=b64 -S kill

-a exit,always -F arch=b64 -S rename

-a exit,always -F arch=b64 -S unlink

-a exit,always -F arch=b64 -S symlinkat

-a exit,always -F arch=b64 -S mount

-a exit,always -F arch=b64 -S fchmod

-a exit,always -F arch=b64 -S mknodat

-a exit,always -F arch=b64 -S execve

-a exit,always -F arch=b64 -S chown

-a exit,always -F arch=b64 -S open

-a exit,always -F arch=b64 -S exit_group

-a exit,always -F arch=b64 -S utime

-a exit,always -F arch=b64 -S adjtimex

-a exit,always -F arch=b64 -S renameat

-a exit,always -F arch=b64 -S close

-a exit,always -F arch=b64 -S creat

-a exit,always -F arch=b64 -S symlink

-a exit,always -F arch=b64 -S fchown

-a exit,always -F arch=b64 -S utimes

-a exit,always -F arch=b64 -S link

-a exit,always -F arch=b64 -S settimeofday

-a exit,always -F arch=b64 -S fchmodat

-a exit,always -F arch=b64 -S lchown

-a exit,always -F arch=b64 -S umount2

-a exit,always -F arch=b64 -S chmod

-a exit,always -F arch=b64 -S linkat

-a exit,always -F arch=b64 -S fork

-a exit,always -F arch=b64 -S mknod

-a exit,always -F arch=b64 -S vfork

-a exit,always -F arch=b64 -S vfork