The Linux Audit system provides a way to track security-relevant information on your system.
Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible.
This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed.
Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system.
These violations can further be prevented by additional security measures such as SELinux.
The following list summarizes some of the information that Audit is capable of recording in its log files:
- Date and time, type, and outcome of an event.
- Sensitivity labels of subjects and objects.
- Association of an event with the identity of the user who triggered the event.
- All modifications to Audit configuration and attempts to access Audit log files.
- All uses of authentication mechanisms, such as SSH, Kerberos, and others.
- Changes to any trusted database, such as /etc/passwd.
- Attempts to import or export information into or from the system.
- Include or exclude events based on user identity, subject and object labels, and other attributes.
The use of the Audit system is also a requirement for a number of security-related certifications. Audit is designed to meet or exceed the requirements of the following certifications or compliance guides:
- Controlled Access Protection Profile (CAPP)
- Labeled Security Protection Profile (LSPP)
- Rule Set Base Access Control (RSBAC)
- National Industrial Security Program Operating Manual (NISPOM)
- Federal Information Security Management Act (FISMA)
- Payment Card Industry: Data Security Standard (PCI-DSS)
- Security Technical Implementation Guides (STIG)
Audit has also been:
Evaluated by National Information Assurance Partnership (NIAP) and Best Security Industries (BSI).
Certified to LSPP/CAPP/RSBAC/EAL4+ on Red Hat Enterprise Linux 5.
Certified to Operating System Protection Profile / Evaluation Assurance Level 4+ (OSPP/EAL4+) on Red Hat Enterprise Linux 6.