.. _audit_log_ruleset: .. rst-class:: chapter-with-expand Audit Log Rule Sets ---------------------------- .. index:: log;log audit;log audit ruleset .. _20.1.1|VOSS-612: Audit log rule sets are available to manage the level of detail in audit logs. Types of logs can be added to or removed from rule sets by means of **log audit ruleset** command line parameters. The following table shows rule sets and their default state: .. list-table:: Rule Sets :widths: 15 50 15 :header-rows: 1 * - Option - Name - Enabled * - 1 - Default Rules - true * - 2 - CLI Commands - true * - 3 - Users and Groups - false * - 4 - Network Events - false * - 5 - Security - false * - 6 - Software Management - false * - 7 - Root Commands - false * - 8 - File Access - false For details on the logs associated with the rules, see: * :ref:`audit-rule-types` * the audit log description under :ref:`log_types` This means that by default, the audit log only shows logs associated with the default audit rules (1) and any VOSS Automate platform CLI commands (2). The following parameters are available for the command **log audit ruleset**: * **log audit ruleset list** Show the current ruleset, in other words the enabled and disabled rules. For example, consider the following (non-default option 7 has been enabled): :: $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 7 Root Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset disable 1,2** Disable rules 1 and 2 from the rule set. .. note:: The parameter syntax is a comma separated list of option numbers *without* spaces. For example: :: $ log audit ruleset disable 1,2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 7 Root Commands Rules Disabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset enable 2** Enable rule 2 from the rule set. For example: :: $ log audit ruleset enable 2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 2 CLI Commands 7 Root Commands Rules Disabled 1 Default Rules 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access * **log audit ruleset enable all** Enable all the rules. For example: :: $ log audit ruleset enable all $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands Rules Disabled * **log audit ruleset default** Reset the rules to the default set. For example: :: $ log audit ruleset default $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands .. _audit-rule-types: Types of command and change logs in audit rules ................................................ .. tabularcolumns:: |p{1.5cm}|p{3.5cm}|p{12cm}| ======== =================== ================================================================================================== Option # Name Purpose ======== =================== ================================================================================================== 1 Default Rules Audit mgt tool, kernel , mount, swap, stunnel, cron events 2 CLI Commands All Voss CLI commands logged in a clear text format 3 Users and Groups User, group, sudo, password, login/logout events 4 Network Events Hostname, pam, ssh, systemd, access failures, power state, session initiation, access control, etc 5 Security Suspicious activity, reconnaissance, code injection, and privilege abuse 6 Software Management Package management (dpkg, apt, aptitude) 7 Root Commands Commands executed as root (high volume) 8 File Access File access failures and deletion ======== =================== ==================================================================================================