LinuxQuestions.org - system call auditing

- Ubuntu (https://www.linuxquestions.org/questions/ubuntu-63/)

- - system call auditing (https://www.linuxquestions.org/questions/ubuntu-63/system-call-auditing-697642/)

system call auditing

Hi all,

this is what i have read in the book "Ubuntu the complete reference by richard petersen"

The Linux Auditing System provides system call auditing. You can download and install
it from the Ubuntu universe repository. The auditing is performed by a server called auditd,
with logs saved to the /var/log/audit directory. It is designed to complement SELinux, which
saves its messages to the auditd log in the /var/log/audit/audit.log file. Logs are located at
/var/log/audit. The audit package includes the auditd server and three commands: autrace,
ausearch, and auditctl. You use ausearch to query the audit logs. You can control the
behavior of the auditd server with the auditctl tool.

now my question is when and where/ pratical situations this sort of auditing is used ?

Quote:

Originally Posted by sulekha (Post 3410611)

my question is when and where/ pratical situations this sort of auditing is used ?

Anywhere strict access controls are in effect due to compliance, anywhere you would want to know access violations occur and anywhere you are just interested in what happens. For example this would log all syscalls related to module operations:

Code:

# modify_ldt and module syscalls

-a entry,always -S 123 -k MOD_ldt 

-a entry,always -S 127 -k MOD_crt

-a entry,always -S 128 -k MOD_ini

-a entry,always -S 129 -k MOD_del

-a entry,always -S 167 -k MOD_qry

...related to whatever happens in temp dirs:

Code:

-w /tmp -p wx -k watch-wx-tmp

-w /var/tmp -p wx -k watch-wx-vartmp

-w /usr/tmp -p wx -k watch-wx-usrtmp

-w /dev/shm -p x -k watch-x-devshm

and of course there's the more extensive CAPP rules to look at.