LAuS can be configured to watch file access and many other operating system events. It was introduced with Red Hat Enterprise Linux 3 Update 2, but the program did not work correctly until fixes were introduced in Update 3. To ensure proper functionality, the system must be running Update 3 or newer of Red Hat Enterprise Linux 3. These are the packages that need to be installed:
- laus
- laus-libs
- eal3-certification-doc
- eal3-certification
The man pages for
audit and
laus can provide assistance with editing the configuration files for LAuS, which can be found in
/etc/audit. Another good reference for LAuS configuration is the setup guide for EAL3 security certification, as it uses LAuS to perform its auditing. The setup guide can can be found in six different file formats in this directory:
/usr/share/doc/eal3-certification-doc-0.7/
After installing the required packages and editing the configuration files, LAuS' audit service can be started with the command
service audit start. To configure LAuS to run on startup, issue the command
chkconfig audit on. When the audit service is started, LAuS will immediately begin auditing certain processes like cron jobs and the starting and stopping of the audit daemon. To make LAuS monitor user processes like logins and file access, user logins must be set up to run in an audit context. To do this for text mode and GUI mode logins, edit the files
/etc/pam.d/login and
/etc/pam.d/gdm and add the line
session optional pam_laus.so detach
to the end of the
session section in both files. It is recommended to restart the system after making these changes. Once those changes have been made, when any user logs in LAuS will log everything that was specified to be logged by the
/etc/audit/filter.conf file. Note that this does not have any effect on users who are logged in at the time the change was made. Users need to log out and log back in for logging to begin.
The file /etc/pam.d/sshd file also needs to be edited by adding the line
account required pam_laus.so detach
so that login sessions over SSH will be logged as well. Note that the sshd daemon must be restarted with the command
service sshd restart to activate logging of SSH-based logins. Users who are logged in over SSH will need to log out and log back in before their SSH sessions will be logged.
Now that LAuS is logging system activity, the command
aucat can be used to print logfile information to the screen. If a higher degree of control over the types of information pulled from the logs is required, the command
augrep can be used instead of
aucat. see the man pages for
aucat and
augrep for more information on their usage.
It is important to note that log files are never deleted. Because of this it is possible for log files to fill up the filesystem that contains
/var. The system administrator must monitor the
/var/log/audit.d directory and remove or archive the
save.* files before the filesystem fills up. Please see the
Related Solutions section below for suggestions on dealing with this issue.
