Accounting
Learn how Linux and applications store actions performed by users and systems, such as authentication events.
Linux System Integrity: Ensure Data, Logging and Kernel Integrity
Linux system integrity can be achieved with security measures which focus on kernel integrity, file integrity and hardware integrity.
Summary
From Data and Logging, up to Kernel Integrity Systems exist for one primary goal, which is processing data. Information security helps protecting this valuable data, by ensuring its availability, integrity, and confidentiality. In other words, data should be available when we need it. Then it should be properly transmitted and stored, without errors. Our last goal ensures that it is only available to those with a need to know. Many open source software components are available to help with these goals.
Logging root actions by capturing execve system calls
Logging all actions performed by root might be needed for compliance or security. With the help of Linux audit we log all root actions easy in an audit log.
Summary
Capturing execve system calls and store them in the audit log For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file. Configure audit To enable auditing, use the following commands: # auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands # auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user.
Tuning auditd: high-performance Linux Auditing
To achieve better performance with a auditd configuration, it needs to be tuned. See performance boosters like events exclusion, rule ordering, and more.
Summary
The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules. Performance tips Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after.
Linux Audit Framework 101 – Basic Rules for Configuration
The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.
Summary
Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.
Creating audit trails – Logging commands on Linux with Snoopy
Snoopy is a useful utility to log commands on Linux and create a related audit trail. Auditing trails are considered to be important for proper accounting.
Summary
Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.