IBM 10 SP1 EAL4 Server User Manual


 
5.6.2 Audit operation and configuration options
5.6.2.1 Configuration
There are many ways to control the operation of the audit subsystem. The controls are available at
compilation time, boot time, daemon startup time, and while the daemon is running.
At compilation time, SLES kernel provides three kernel configuration options that control the level of audit
support compiled into the kernel. The options are:
CONFIG_AUDIT: This enables the base level of audit support.
CONFIG_AUDITSYSCALL: This enables the ptrace hooks for the full syscall audit trace. The
currently supported architectures include X86, PPC64, S390x, IA64, X86_64.
CONFIG_AUDITFILESYSTEM: This enables file system auditing.
At boot time, LAF provides the option audit, which enables the system call and file system auditing support.
If audit is set to 1, system call and file system auditing are enabled; otherwise, both system call and file
system auditing are disabled. After the system is up and running, the administrator has the ability to enable
and disable syscall and file system auditing by using auditctl with the –e option.
On startup, auditd reads the /etc/auditd.conf file, which holds options that can be set by the
administrator to control the behavior of the daemon. Table 5-2 lists the various configuration options. In
addition, auditd reads /etc/audit.rules file, which holds any command supported by auditctl.
The auditd and auditctl man pages give more detailed info.
137
Figure 5-72: Audit User Space Components