Re: VERY basic question

[Steve Grubb <sgrubb@redhat.com>]

On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote:
> In a standalone system:
> 
> How in the world do I capture, create and save human readable reports and
> then clear audit logs.

aureport is a good starting point. As for what you want out of it...that would 
depend on your security policy and threat model. For example, I put key labels 
on all rules. So, the main thing I want to see is the key summary report so 
that I have a general idea of what is going on with the system. Based on that, 
I then look closer at events with certain keys. For others, its different. I 
have seen in the past perl scripts that run several aureport commands and 
formats it into a report. But there really isn't a consensus on what a 
standard report would be.


> Which BASIC /var/log should every accidental sysad (like myself) be
> capturing?
> 
> I know where to put the audit rules, but at this point, I'm just sort of
> following instructions for that without any real sense of understanding. 
> The farthest I've gotten is -w means watch.
> 
> If you guys would take a moment to ask such a rudimentary question, I might
> be able to move past go.

The audit.rules man page has some tips and pointers for rules and 
investigations. There is also some documentation here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

and other distributions have documentation you can look at as well. Try "linux 
audit documentation" as a search to find more.

-Steve