Audit Log Rule Sets

Audit log rule sets are available to manage the level of detail in audit logs. Types of logs can be added to or removed from rule sets by means of log audit ruleset command line parameters.

The following table shows rule sets and their default state:

Rule Sets
Option Name Enabled
1 Default Rules true
2 CLI Commands true
3 Users and Groups false
4 Network Events false
5 Security false
6 Software Management false
7 Root Commands false
8 File Access false

For details on the logs associated with the rules, see:

This means that by default, the audit log only shows logs associated with the default audit rules (1) and any VOSS-4-UC platform CLI commands (2).

The following parameters are available for the command log audit ruleset:

  • log audit ruleset list

    Show the current ruleset, in other words the enabled and disabled rules.

    For example, consider the following (non-default option 7 has been enabled):

    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
                       1    Default Rules
                       2    CLI Commands
                       7    Root Commands
    
    Rules Disabled
    
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset disable 1,2

    Disable rules 1 and 2 from the rule set.

    Note

    The parameter syntax is a comma separated list of option numbers without spaces.

    For example:

    $ log audit ruleset disable 1,2
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
                       7    Root Commands
    
    Rules Disabled
    
                       1    Default Rules
                       2    CLI Commands
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset enable 2

    Enable rule 2 from the rule set.

    For example:

    $ log audit ruleset enable 2
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       2    CLI Commands
                       7    Root Commands
    
    Rules Disabled
    
                       1    Default Rules
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset enable all

    Enable all the rules.

    For example:

    $ log audit ruleset enable all
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       1    Default Rules
                       2    CLI Commands
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
                       7    Root Commands
    
    Rules Disabled
    
  • log audit ruleset default

    Reset the rules to the default set.

    For example:

    $ log audit ruleset default
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       1    Default Rules
                       2    CLI Commands
    
    Rules Disabled
    
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
                       7    Root Commands
    

Types of command and change logs in audit rules

Option # Name Purpose
1 Default Rules Audit mgt tool, kernel , mount, swap, stunnel, cron events
2 CLI Commands All Voss CLI commands logged in a clear text format
3 Users and Groups User, group, sudo, password, login/logout events
4 Network Events Hostname, pam, ssh, systemd, access failures, power state, session initiation, access control, etc
5 Security Suspicious activity, reconnaissance, code injection, and privilege abuse
6 Software Management Package management (dpkg, apt, aptitude)
7 Root Commands Commands executed as root (high volume)
8 File Access File access failures and deletion