Auditd: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Nptskial (talk | contribs)
No edit summary
Nptskial (talk | contribs)
No edit summary
Line 1: Line 1:
'''Auditd''' - is the userspace component of the Linux Auditing System<ref>[https://linux.die.net/man/8/auditd] auditd - Linux man page</ref>. It is responsible for writing audit records to the disk. '''The Linux Auditing System''' helps system administrators to create an audit trail, a log for every action on the server. Since '''Auditd''' operates at the kernel level, this gives system administrators an opportunity to get detailed information about any system operation. '''The Linux Audit System''' provides a way to track security-relevant information on the system. Based on pre-configured rules, '''Auditd''' generates log entries to record as much information about the events that are happening on the system as possible. System administrators can choose which actions on the server should be monitored and to what extent. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. '''Auditd''' does not provide additional security to the system, rather it can be used to discover violations of security policies used on the system. These violations can further be prevented by additional security measures such as SELinux. '''The Linux Audit System''' is developed and maintained by '''RedHat'''<ref>[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html] Chapter 7.System Auditing</ref>.
'''Auditd''' - is the userspace component of the Linux Auditing System<ref>[https://linux.die.net/man/8/auditd] auditd - Linux man page</ref>. It is responsible for writing audit records to the disk. '''The Linux Auditing System''' helps system administrators to create an audit trail, a log for every action on the server. Since '''Auditd''' operates at the kernel level, this gives system administrators an opportunity to get detailed information about any system operation. '''The Linux Audit System''' provides a way to track security-relevant information on the system. Based on pre-configured rules, '''Auditd''' generates log entries to record as much information about the events that are happening on the system as possible. System administrators can choose which actions on the server should be monitored and to what extent. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. '''Auditd''' does not provide additional security to the system, rather it can be used to discover violations of security policies used on the system. These violations can further be prevented by additional security measures such as SELinux. '''The Linux Audit System''' is developed and maintained by '''RedHat'''<ref name=chapter7>[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html] Chapter 7.System Auditing</ref>.


==Usage and use cases==
==Usage and use cases==
'''Auditd''' is a powerful tool for system administrators as it allows them to monitor access to any file, network traffic and almost everything they would need. The level of detail is phenomenal, since the daemon operates at kernel level and the granularity of the information has been proven to be very useful. The following list summarizes some of the information that Audit can record in its log files<ref>[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html] Chapter 7.System Auditing</ref>:
'''Auditd''' is a powerful tool for system administrators as it allows them to monitor access to any file, network traffic and almost everything they would need. The level of detail is phenomenal, since the daemon operates at kernel level and the granularity of the information has been proven to be very useful. The following list summarizes some of the information that Audit can record in its log files<ref name=chapter7 />:





Revision as of 21:50, 11 March 2017

Auditd - is the userspace component of the Linux Auditing System[1]. It is responsible for writing audit records to the disk. The Linux Auditing System helps system administrators to create an audit trail, a log for every action on the server. Since Auditd operates at the kernel level, this gives system administrators an opportunity to get detailed information about any system operation. The Linux Audit System provides a way to track security-relevant information on the system. Based on pre-configured rules, Auditd generates log entries to record as much information about the events that are happening on the system as possible. System administrators can choose which actions on the server should be monitored and to what extent. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. Auditd does not provide additional security to the system, rather it can be used to discover violations of security policies used on the system. These violations can further be prevented by additional security measures such as SELinux. The Linux Audit System is developed and maintained by RedHat[2].

Usage and use cases

Auditd is a powerful tool for system administrators as it allows them to monitor access to any file, network traffic and almost everything they would need. The level of detail is phenomenal, since the daemon operates at kernel level and the granularity of the information has been proven to be very useful. The following list summarizes some of the information that Audit can record in its log files[2]:


Audit system architecture

Installation of Audit packages

Starting the Audit service

Defining Audit rules

Defining Audit rules with auditctl utility

Defining persistent Audit rules and controls

Understanding Audit log files

Searching the Audit log files

Creating Audit reports

References

  1. [1] auditd - Linux man page
  2. 2.0 2.1 [2] Chapter 7.System Auditing