Generating a generic audit log
The following are examples of generating a generic audit log.
In this example, assume that a system administrator wants to use the audit subsystem to monitor a large multi-user server system. No direct integration into an IDS is performed, all audit records will be inspected manually for irregularities. Only a few essential audit events are recorded, to keep the amount of generated data to a manageable size.
The audit events that are considered for
event detection are the following:
- FILE_Write
- We want to know about file writes to configuration files, so this event will be used with all files in the /etc tree.
- PROC_SetUserIDs
- All changes of user IDs
- AUD_Bin_Def
- Audit bin configuration
- USER_SU
- The su command
- PASSWORD_Change
- passwd command
- AUD_Lost_Rec
- Notification in case there where lost records
- CRON_JobAdd
- new cron jobs
- AT_JobAdd
- new at jobs
- USER_Login
- All logins
- PORT_Locked
- All locks on terminals because of too many invalid attempts
The following is an example of how to generate a generic audit log:
This example uses only a few events. To see all events, you
could specify the classname
ALL
for all users. This
action will generate large amounts of data. You might want to add
all events related to user changes and privilege changes to your custom
class.