Red Hat Enterprise Linux 5 Administration Unleashed

Starting and Stopping the Daemon 515deleting a user, which modifies these password files being watched. Just like the examplein Listing 25.3 for a rule with a filter key, the key is added to the end of the log entry so itcan be easily filtered from the rest of the log entries.LISTING 25.5Example Log Entries for Audit Watchestype=SYSCALL msg=audit(1168227741.656:17915): arch=c000003e syscall=82success=yes exit=0 a0=7fff00975dd0 a1=60a700 a2=0 a3=22 items=5 ppid=26575pid=4147 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0tty=pts4 comm=”userdel” exe=”/usr/sbin/userdel” key=”PASSWD”Customizing auditctlCommand-line options for configuring the audit system parameters can also be includedin /etc/audit/audit.rules. Table 25.1 lists these options.TABLE 25.1 auditctl Options for Configuring Audit System ParametersOptionDescription-b Maximum number of outstanding audit buffers allowed. The default fromthe kernel is 64. If all buffers are full, the kernel refers to the failure flagset with the -f option to determine which action to take.-e [0,1] Set to 0 to disable auditing, or set to 1 to enable auditing. Useful fortemporarily disabling audit for troubleshooting or other purposes.-f [0,1,2] Set the failure flag used to tell the kernel how to handle critical errorssuch as the audit buffers being full or being out of kernel memory. Validvalues are 0 (no action), 1 (use printk to log messages to /var/log/messages), and 2 (panic). The default is 1, but 2 is more secure.-r Rate limit in messages/second. If set to 0, there is no limit. If the ratelimit is exceeded, the kernel consults the failure flag from the -f optionto determine which action to take.-i Ignore errors when reading rules from a file.25To verify they have been set, use the auditctl -s command to view the status. Theoutput looks like the following:AUDIT_STATUS: enabled=1 flag=1 pid=1954 rate_limit=0 backlog_limit=256lost=0 backlog=0Starting and Stopping the DaemonAfter configuring the daemon and adding rules and watches, start the daemon with theservice auditd start command as root. To stop it, use the service auditd stopcommand. To enable it to automatically start at boot time, execute the chkconfig auditdon command as root.