We already know that most things happening on the system are subject to audit with RSBAC. However, the logging facility is only a tool, and like every tool, it's usefulness is only seen if you know how to use that tool.

We can divide the audit you need into different categories:

• the standard everyday logging: RSBAC defaults are pretty good, it logs anything that has been denied.
• sensitive applications, files or user accesses: if something in the system is especially exposed, it might be a good idea to log additional events that are in relation, and watch them more closely.
• suspicious activity: this is more a day-to-day thing, when you have a doubt, just log it for a while, but do not forget to stop logging afterwards.
• regular checks: it is a good practice, to audit users, directory paths, or applications, during a day, randomly every month, to compare with the previous month. This may help you to spot suspicious activity.
• application debugging, or RSBAC rules making: have additional logging over one program might help you to understand what this program is doing without having access to the source code (or if you do not understand it).

Start one of the rsbac_menu to get an easy interface to the logging menus.

# rsbac_menu
# rsbac_user_menu <user id>
# rsbac_fd_menu <file>

• rsbac_menu set up the general logging for the whole system
• rsbac_user_menu set up the logging rules per user
• rsbac_fd_menu set up the logging per program

Note: See 3.Architecture and Implementation>>III.Framework Components>>e.Logging Facility for more information about log arrays and how to setup logging

Table of Contents: RSBAC Handbook
Previous: Configuration Basics
Next: Selecting a Security Model Combination