From ff8227414ca94688af69677f0ada3cdd297ed8ab Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 9 Dec 2021 03:35:43 +0530 Subject: [PATCH] add auditd docs --- services/nftables/audit-framework/audit.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 services/nftables/audit-framework/audit.md diff --git a/services/nftables/audit-framework/audit.md b/services/nftables/audit-framework/audit.md new file mode 100644 index 0000000..f3a0f99 --- /dev/null +++ b/services/nftables/audit-framework/audit.md @@ -0,0 +1,13 @@ +# Audit Framework + +## Kernel + +To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. + +## Userspace + +* Install the `audit` package, enable and start the `auditd.service`. +* The config file is `auditd.conf`. +* The rules are defined in `/etc/audit/audit.rules`. +* `auditctl` can be used to edit rules on the fly. +* `ausearch` and `aureport` are used to summarize and view data.