.. _audit_log_ruleset: .. rst-class:: chapter-with-expand Audit Log Rule Sets ---------------------------- .. index:: log;log audit;log audit ruleset .. _20.1.1|VOSS-612: Audit log rule sets are available to manage the level of detail in audit logs. Types of logs can be added to or removed from rule sets by means of **log audit ruleset** command line parameters. The following table shows rule sets and their default state: .. list-table:: Rule Sets :widths: 15 50 15 :header-rows: 1 * - Option - Name - Enabled * - 1 - Default Rules - true * - 2 - CLI Commands - true * - 3 - Users and Groups - false * - 4 - Network Events - false * - 5 - Security - false * - 6 - Software Management - false * - 7 - Root Commands - false * - 8 - File Access - false For details on the logs associated with the rules, see: * :ref:`audit-rule-types` * the audit log description under :ref:`log_types` This means that by default, the audit log only shows logs associated with the default audit rules (1) and any VOSS-4-UC platform CLI commands (2). The following parameters are available for the command **log audit ruleset**: * **log audit ruleset list** Show the current ruleset, in other words the enabled and disabled rules. For example, consider the following (non-default option 7 has been enabled): :: $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 7 Root Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset disable 1,2** Disable rules 1 and 2 from the rule set. .. note:: The parameter syntax is a comma separated list of option numbers *without* spaces. For example: :: $ log audit ruleset disable 1,2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 7 Root Commands Rules Disabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset enable 2** Enable rule 2 from the rule set. For example: :: $ log audit ruleset enable 2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 2 CLI Commands 7 Root Commands Rules Disabled 1 Default Rules 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset enable all** Enable all the rules. For example: :: $ log audit ruleset enable all $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands Rules Disabled * **log audit ruleset default** Reset the rules to the default set. For example: :: $ log audit ruleset default $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands .. _audit-rule-types: Types of command and change logs in audit rules ................................................ .. tabularcolumns:: |p{1.5cm}|p{3.5cm}|p{12cm}| ======== =================== ================================================================================================== Option # Name Purpose ======== =================== ================================================================================================== 1 Default Rules Audit mgt tool, kernel , mount, swap, stunnel, cron events 2 CLI Commands All Voss CLI commands logged in a clear text format 3 Users and Groups User, group, sudo, password, login/logout events 4 Network Events Hostname, pam, ssh, systemd, access failures, power state, session initiation, access control, etc 5 Security Suspicious activity, reconnaissance, code injection, and privilege abuse 6 Software Management Package management (dpkg, apt, aptitude) 7 Root Commands Commands executed as root (high volume) 8 File Access File access failures and deletion ======== =================== ==================================================================================================