Using Audit Framework and praudit
Mateusz Piotrowski
0mp at FreeBSD.org
Thu Oct 6 19:19:49 UTC 2016
Hi,
On 6 Oct 2016, at 18:59, mokhi <mokhi64 at gmail.com> wrote:
> For using "The audit framework", should I rebuild my kernel to use
> "praudit" to log exec or syscall events ?
> I used the way that handbook says to use praudit, but it only shows me
> logs on authentications with "su" and stop/starting "auditd" service,
> and there's no any other logs.
I guess that there's no need to recompile anything since your praudit
seems to be working as expected.
> Any ideas what other things should i do ?
Are you sure you've modified /etc/security/audit_control? It's the file
where you can configure what events the system should log.
See audit_control(5) and the handbook[1] for more details.
Cheers,
-m
[1]: https://www.freebsd.org/doc/handbook/audit-config.html
More information about the freebsd-hackers
mailing list