Audit Log Rule Sets

Audit log rule sets are available to manage the level of detail in audit logs. Types of logs can be added to or removed from rule sets by means of log audit ruleset command line parameters.

The following table shows rule sets and their default state:

Rule Sets

Option

Name

Enabled

1

Default Rules

true

2

CLI Commands

true

3

Users and Groups

false

4

Network Events

false

5

Security

false

6

Software Management

false

7

Root Commands

false

8

File Access

false

For details on the logs associated with the rules, see:

This means that by default, the audit log only shows logs associated with the default audit rules (1) and any VOSS Automate platform CLI commands (2).

The following parameters are available for the command log audit ruleset:

  • log audit ruleset list

    Show the current ruleset, in other words the enabled and disabled rules.

    For example, consider the following (non-default option 7 has been enabled):

    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
                       1    Default Rules
                       2    CLI Commands
                       7    Root Commands
    
    Rules Disabled
    
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset disable 1,2

    Disable rules 1 and 2 from the rule set.

    Note

    The parameter syntax is a comma separated list of option numbers without spaces.

    For example:

    $ log audit ruleset disable 1,2
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
                       7    Root Commands
    
    Rules Disabled
    
                       1    Default Rules
                       2    CLI Commands
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset enable 2

    Enable rule 2 from the rule set.

    For example:

    $ log audit ruleset enable 2
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       2    CLI Commands
                       7    Root Commands
    
    Rules Disabled
    
                       1    Default Rules
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
    
  • log audit ruleset enable all

    Enable all the rules.

    For example:

    $ log audit ruleset enable all
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       1    Default Rules
                       2    CLI Commands
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
                       7    Root Commands
    
    Rules Disabled
    
  • log audit ruleset default

    Reset the rules to the default set.

    For example:

    $ log audit ruleset default
    
    $ log audit ruleset list
    
    
                  Option    Name
                  ------    ----
    
     Rules Enabled
    
                       1    Default Rules
                       2    CLI Commands
    
    Rules Disabled
    
                       3    Users and Groups
                       4    Network Events
                       5    Security
                       6    Software Management
                       8    File Access
                       7    Root Commands
    

Types of command and change logs in audit rules

Option #

Name

Purpose

1

Default Rules

Audit mgt tool, kernel , mount, swap, stunnel, cron events

2

CLI Commands

All Voss CLI commands logged in a clear text format

3

Users and Groups

User, group, sudo, password, login/logout events

4

Network Events

Hostname, pam, ssh, systemd, access failures, power state, session initiation, access control, etc

5

Security

Suspicious activity, reconnaissance, code injection, and privilege abuse

6

Software Management

Package management (dpkg, apt, aptitude)

7

Root Commands

Commands executed as root (high volume)

8

File Access

File access failures and deletion