Difference between revisions of "Auditd"

From Dogtag
Jump to: navigation, search
m (Adding Audit Rules)
m (References)
 
(4 intermediate revisions by the same user not shown)
Line 25: Line 25:
 
</pre>
 
</pre>
  
= Removing Audit Rules ==
+
= Removing Audit Rules =
  
 
== Removing File System Rules ==
 
== Removing File System Rules ==
Line 43: Line 43:
 
<pre>
 
<pre>
 
$ ausearch --uid pkiuser
 
$ ausearch --uid pkiuser
 +
</pre>
 +
 +
<pre>
 +
$ ausearch -k <keyword>
 +
</pre>
 +
 +
<pre>
 +
$ ausearch --interpret -k <keyword>
 
</pre>
 
</pre>
  
Line 49: Line 57:
 
* [[PKI Server Audit]]
 
* [[PKI Server Audit]]
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls Defining Audit Rules]
 
* [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls Defining Audit Rules]
 +
* [https://wiki.mozilla.org/FIPS_Operational_Environment FIPS Operational Environment]

Latest revision as of 22:28, 20 May 2020

Viewing Audit Logs

$ tail -f /var/log/audit/audit.log

Listing Audit Rules

$ auditctl -l

Adding Audit Rules

Adding File System Rules

$ auditctl -w /etc/pki/pki-tomcat/server.xml -p wa

Adding System Call Rules

$ auditctl -a always,exit -S all -F auid=pkiuser

Removing Audit Rules

Removing File System Rules

$ auditctl -W /etc/pki/pki-tomcat/server.xml -p wa

Removing System Call Rules

$ auditctl -d always,exit -S all -F auid=pkiuser

Searching Audit Logs

$ ausearch --uid pkiuser
$ ausearch -k <keyword>
$ ausearch --interpret -k <keyword>

References