9.2. Audit Policy

The audit policy defines the significant events which need to be logged on server. Logs have two important roles: provide a means for near-real-time monitoring of the system and allow you to investigate past actions. When considering system security, audit events will often identify unauthorized attempts to access resources. The events originate from interactive user sessions or system processes and services.

As defined by the Filesystem Hierarchy Standard (FHS), events are logged to files which reside in the /var/log directory. Files that you need to pay attention to are listed in the table:

File Description How to examine
/var/log/lastlog Records of each user’s last login lastlog
/var/log/messages System messages from syslogd cat /var/log/messages
/var/log/wtmp Records of all logins and logouts who /var/log/wtmp

9.2.1. Storing Logs Remotely

It is recommended to store logs remotely. This will let you detect intrusion even if an attacker gained root privileges and modified local logs to hide their presence. You can change log location by configuring the rsyslogd daemon.

For example, you can add the following lines to the end of the /etc/rsyslog.conf configuration file:

kern.warning;*.err;authpriv.none\t@<remote_host>
*.info;mail.none;authpriv.none;cron.none\t@<remote_host>
*.emerg\t@<remote_host>
local7.*\t@<remote_host>

where <remote_host> is the FQDN of the destination server where logs need to be stored.

9.2.2. Viewing Critical Audit Messages

The most important security messages are tracked by syslog authpriv and stored in the /var/log/secure log file by default. It tracks all attempts to access the computer from a local interactive logon, network logon, network servce startups, change of privileges, etc. Failed logon attempts may show a trend for password attacks. Successful logon messages are important for identifying which user logged on at a given time.