{
	"id": "b5872e94-50aa-450f-880a-b23a3d73f964",
	"created_at": "2026-04-06T00:17:26.7918Z",
	"updated_at": "2026-04-10T03:22:00.275904Z",
	"deleted_at": null,
	"sha1_hash": "dfb18910be49e0e94c5b4f359369b043c62bc04f",
	"title": "Chapter 7. System Auditing | Security Guide | Red Hat Enterprise Linux | 6",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55794,
	"plain_text": "Chapter 7. System Auditing | Security Guide | Red Hat Enterprise\r\nLinux | 6\r\nArchived: 2026-04-05 19:13:19 UTC\r\nChapter 7. System Auditing\r\nThe Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on\r\nyour system as possible. This information is crucial for mission-critical environments to determine the violator of\r\nthe security policy and the actions they performed. Audit does not provide additional security to your system;\r\nrather, it can be used to discover violations of security policies used on your system. These violations can further\r\nbe prevented by additional security measures such as SELinux.\r\nThe following list summarizes some of the information that Audit is capable of recording in its log files:\r\nDate and time, type, and outcome of an event.\r\nSensitivity labels of subjects and objects.\r\nAssociation of an event with the identity of the user who triggered the event.\r\nAll modifications to Audit configuration and attempts to access Audit log files.\r\nAll uses of authentication mechanisms, such as SSH, Kerberos, and others.\r\nChanges to any trusted database, such as /etc/passwd .\r\nAttempts to import or export information into or from the system.\r\nInclude or exclude events based on user identity, subject and object labels, and other attributes.\r\nThe use of the Audit system is also a requirement for a number of security-related certifications. Audit is designed\r\nto meet or exceed the requirements of the following certifications or compliance guides:\r\nControlled Access Protection Profile (CAPP)\r\nLabeled Security Protection Profile (LSPP)\r\nRule Set Base Access Control (RSBAC)\r\nNational Industrial Security Program Operating Manual (NISPOM)\r\nFederal Information Security Management Act (FISMA)\r\nPayment Card Industry — Data Security Standard (PCI-DSS)\r\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing\r\nPage 1 of 3\n\nSecurity Technical Implementation Guides (STIG)\r\nAudit has also been:\r\nEvaluated by National Information Assurance Partnership (NIAP) and Best Security Industries (BSI).\r\nCertified to LSPP/CAPP/RSBAC/EAL4+ on Red Hat Enterprise Linux 5.\r\nCertified to Operating System Protection Profile / Evaluation Assurance Level 4+ (OSPP/EAL4+) on\r\nRed Hat Enterprise Linux 6.\r\nUse Cases\r\nWatching file access\r\nAudit can track whether a file or a directory has been accessed, modified, executed, or the file's attributes\r\nhave been changed. This is useful, for example, to detect access to important files and have an Audit trail\r\navailable in case one of these files is corrupted.\r\nMonitoring system calls\r\nAudit can be configured to generate a log entry every time a particular system call is used. This can be\r\nused, for example, to track changes to the system time by monitoring the settimeofday , clock_adjtime ,\r\nand other time-related system calls.\r\nRecording commands run by a user\r\nBecause Audit can track whether a file has been executed, a number of rules can be defined to record every\r\nexecution of a particular command. For example, a rule can be defined for every executable in the /bin\r\ndirectory. The resulting log entries can then be searched by user ID to generate an audit trail of executed\r\ncommands per user.\r\nRecording security events\r\nThe pam_faillock authentication module is capable of recording failed login attempts. Audit can be set\r\nup to record failed login attempts as well, and provides additional information about the user who\r\nattempted to log in.\r\nSearching for events\r\nAudit provides the ausearch utility, which can be used to filter the log entries and provide a complete audit\r\ntrail based on a number of conditions.\r\nRunning summary reports\r\nThe aureport utility can be used to generate, among other things, daily reports of recorded events. A\r\nsystem administrator can then analyze these reports and investigate suspicious activity furthermore.\r\nMonitoring network access\r\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing\r\nPage 2 of 3\n\nThe iptables and ebtables utilities can be configured to trigger Audit events, allowing system\r\nadministrators to monitor network access.\r\nSystem performance may be affected depending on the amount of information that is collected by Audit.\r\nThe Audit system consists of two main parts: the user-space applications and utilities, and the kernel-side system\r\ncall processing. The kernel component receives system calls from user-space applications and filters them through\r\none of the three filters: user, task, or exit. Once a system call passes through one of these filters, it is sent through\r\nthe exclude filter, which, based on the Audit rule configuration, sends it to the Audit daemon for further\r\nprocessing. Figure 7.1, “Audit system architecture” illustrates this process.\r\nFigure 7.1. Audit system architecture\r\nThe user-space Audit daemon collects the information from the kernel and creates log file entries in a log file.\r\nOther Audit user-space utilities interact with the Audit daemon, the kernel Audit component, or the Audit log files:\r\naudisp — the Audit dispatcher daemon interacts with the Audit daemon and sends events to other\r\napplications for further processing. The purpose of this daemon is to provide a plug-in mechanism so that\r\nreal-time analytical programs can interact with Audit events.\r\nauditctl — the Audit control utility interacts with the kernel Audit component to control a number of\r\nsettings and parameters of the event generation process.\r\nThe remaining Audit utilities take the contents of the Audit log files as input and generate output based on\r\nuser's requirements. For example, the aureport utility generates a report of all recorded events.\r\nSource: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing\r\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing"
	],
	"report_names": [
		"chap-system_auditing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dfb18910be49e0e94c5b4f359369b043c62bc04f.pdf",
		"text": "https://archive.orkl.eu/dfb18910be49e0e94c5b4f359369b043c62bc04f.txt",
		"img": "https://archive.orkl.eu/dfb18910be49e0e94c5b4f359369b043c62bc04f.jpg"
	}
}