On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote: > In a standalone system: > > How in the world do I capture, create and save human readable reports and > then clear audit logs.
aureport is a good starting point. As for what you want out of it...that would depend on your security policy and threat model. For example, I put key labels on all rules. So, the main thing I want to see is the key summary report so that I have a general idea of what is going on with the system. Based on that, I then look closer at events with certain keys. For others, its different. I have seen in the past perl scripts that run several aureport commands and formats it into a report. But there really isn't a consensus on what a standard report would be. > Which BASIC /var/log should every accidental sysad (like myself) be > capturing? > > I know where to put the audit rules, but at this point, I'm just sort of > following instructions for that without any real sense of understanding. > The farthest I've gotten is -w means watch. > > If you guys would take a moment to ask such a rudimentary question, I might > be able to move past go. The audit.rules man page has some tips and pointers for rules and investigations. There is also some documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html and other distributions have documentation you can look at as well. Try "linux audit documentation" as a search to find more. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
