The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP).
The example rule set is divided into the following sections:
Basic audit configuration (see Section 31.1, Adding Basic Audit Configuration Parameters)
Watches on audit log files and configuration files (see Section 31.2, Adding Watches on Audit Log Files and Configuration Files)
Monitoring operations on file system objects (see Section 31.3, Monitoring File System Objects)
Monitoring security databases (see Section 31.4, Monitoring Security Configuration Files and Databases)
Monitoring miscellaneous system calls (Section 31.5, Monitoring Miscellaneous System Calls)
Filtering system call arguments (see Section 31.6, Filtering System Call Arguments)
To transform this example into a configuration file to use in your live setup, proceed as follows:
Choose the appropriate settings for your setup and adjust them.
Adjust the file /etc/audit/audit.rules by adding rules from the examples below or by modifying existing rules.
NOTE: Adjusting the Level of Audit Logging
Do not copy the example below into your audit setup without adjusting it to your needs. Determine what and to what extent to audit.
The entire audit.rules is just a collection of auditctl commands. Every line in this file expands to a full auditctl command line. The syntax used in the rule set is the same as that of the auditctl command.