The following example configuration illustrates how audit can be used to monitor your system. It highlights the most important items that need to be audited to cover the list of auditable events specified by Controlled Access Protection Profile (CAPP).
The example rule set is divided into the following sections:
Basic audit configuration (see Section 3.1, Adding Basic Audit Configuration Parameters)
Watches on audit log files and configuration files (see Section 3.2, Adding Watches on Audit Log Files and Configuration Files)
Monitoring operations on file system objects (see Section 3.3, Monitoring File System Objects)
Monitoring security databases (see Section 3.4, Monitoring Security Configuration Files and Databases)
Monitoring miscellaneous system calls (Section 3.5, Monitoring Miscellaneous System Calls)
Filtering system call arguments (see Section 3.6, Filtering System Call Arguments)
To transform this example into a configuration file to use in your live setup, proceed as follows:
Choose the appropriate settings for your setup and adjust them.
Save all examples to one single file called /etc/audit.rules.
Adjust the file permissions to make sure that the rules file is owned by root and by the root group and its permissions are set to read-write for root and read-only for the group and access is denied to any other user or group.
NOTE: Adjusting the Level of Audit Logging
Do not copy the example below into your audit setup without adjusting it to your needs. Determine what and to what extent to audit.
The entire audit.rules is just a collection of auditctl commands. Every line in this file expands to a full auditctl command line. The syntax used in the rule set is the same as that of the auditctl command.