From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: VERY basic question
Date: Tue, 11 Feb 2014 08:57:07 -0500
Message-ID: <22099555.MmjXLMlauy@x2>
References: <2AAF61416E46C443A2E009DC0ECCF02C0560DA@swri16exbe1.electro.swri.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2AAF61416E46C443A2E009DC0ECCF02C0560DA@swri16exbe1.electro.swri.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Margaret M Sanders <msanders@swri.org>
List-Id: linux-audit@redhat.com

On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote:
> In a standalone system:
> 
> How in the world do I capture, create and save human readable reports and
> then clear audit logs.

aureport is a good starting point. As for what you want out of it...that would 
depend on your security policy and threat model. For example, I put key labels 
on all rules. So, the main thing I want to see is the key summary report so 
that I have a general idea of what is going on with the system. Based on that, 
I then look closer at events with certain keys. For others, its different. I 
have seen in the past perl scripts that run several aureport commands and 
formats it into a report. But there really isn't a consensus on what a 
standard report would be.


> Which BASIC /var/log should every accidental sysad (like myself) be
> capturing?
> 
> I know where to put the audit rules, but at this point, I'm just sort of
> following instructions for that without any real sense of understanding. 
> The farthest I've gotten is -w means watch.
> 
> If you guys would take a moment to ask such a rudimentary question, I might
> be able to move past go.

The audit.rules man page has some tips and pointers for rules and 
investigations. There is also some documentation here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

and other distributions have documentation you can look at as well. Try "linux 
audit documentation" as a search to find more.

-Steve