IBM 10 SP1 EAL4 manual User-level audit subsystem, Audit daemon, Audit utilities, Aureport

5.15User-level audit subsystem

The main user-level audit components consist of the auditd daemon, the auditctl control program, the libaudit library, the auditd.conf configuration file, and the auditd.rules initial setup file. There is also the /etc/init.d/auditd init script that is used to start and stop auditd. When run, this script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the AUDIT_CLEAN_STOP variable, which controls whether to delete the watch points and the filter rules when auditd stops.

On startup, auditd reads the configuration file to set the various configuration options that pertain to the daemon. Then, it reads the auditd.rules file to set the initial rules. The auditd.conf man page describes all the configurable options. The auditctl man page lists all the supported control options.

5.15.1Audit daemon

The auditd daemon does the following on startup:

1.Registers its pid with the kernel, so the kernel starts sending all audit events to the daemon (to the netlink).

2.Enables auditing.

3.Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record data availability on the netlink. Once the data is available it signals the thread, which writes out the audit records.

4.Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that define, among other things, what to do when errors are encountered or when the log files are full.

5.Usually, the /etc/init.d/auditd init script runs auditd, which issues auditctl –R /etc/audit.rules, if /etc/auditd.rules exists.

6.auditctl can be used at any time, even before auditd is running, to add and build rules associated with possible actions for system calls and file system operations. It also sets the behavior of the audit subsystem in the kernel.

7.If audit is enabled, the kernel intercepts the system calls and generates audit records according to the filter rules. Or, it generates audit records for watches set on particular file system files or directories.

8.Trusted programs can also write audit records for security-relevant operations through the audit netlink, and not directly to the audit log.

5.15.2Audit utilities

In addition to the main components, the user level provides the ausearch search utility and the autrace trace utility. While ausearch finds audit records based on different criteria from the audit log, autrace audits all syscalls issued by the process being traced. The man pages for these two utilities detail all the options that can be used. This section only describes how they operate.

5.15.2.1aureport

The aureport utility provides summary information from audit log files. Use of aureport is restricted to administrative users. For more information on the aureport utility, see the aureport(8) man page.

aureport typically follows these processing steps: 1. Sets the locale.

211