Audit
*****
Audit events: A security-related system action that is audited. For ease of selection, events are grouped into audit classes.
Audit Class: A grouping of audit events. Audit classes provide a way to select a group of events to be audited.
Audit policy: A set of auditing options that you can enable or disable at your site. These options include whether to record certain kinds of audit data. The options also include whether to suspend auditable actions when the audit trail is full.
Auduit conf:
/etc/security/audit_startup
To start audit process:
/etc/security/bsmconv
Managing audit logs:
audit -n
(actual file gets closed and a new one gets opened)
Notify audit deamon:
audit -s
To view audit log:
i) auditreduce * | praudit -s
ii) auditreduce | praudit -l - To view all log files
ii) praudit -l log_file_name - To view single log file
iv) auditreduce -c lo | praudit -l - To view specific event(here login/logout event)
Other parameters used with auditreduce are following:
-c Event class
-u Real UID
-a Events occurring after the specified time
-b Events occurring before the specified time
-e Effective UID
-g Real GID
-f Effective GID
v) auditreduce -u test1 -c lo | praudit -l - To view logs of user test1
vi) auditreduce -a 20090825 -u test1 -c lo | praudit -l - To view login/logout event for user test1 after the date 25th Aug 2009
vii) auditreduce -a 20090801 -b +31d -u test1 -c lo | praudit -l - To View login/logout event for user test1 for the month of Aug 2009
Usgae of auditconfig:
/usr/sbin/auditconfig getcond
To log specific user:
/etc/security/audit_user