Using Audit Framework and praudit
Mateusz Piotrowski
0mp at FreeBSD.org
Fri Oct 7 14:49:21 UTC 2016
Hi,
On 7 Oct 2016, at 11:26, mokhi <mokhi64 at gmail.com> wrote:
> I saw audit_control(5) and the handbook entry for audit.
>
> My `/etc/security/audit_control` and `/etc/security/audit_user` is
> pasted on [1] and [2]
> I guess my changes (flags:all) should make it auditing all events on
> success and fails.
> Would you please explain me my misunderstanding if there's any?
>
> [1] https://0x.co/7PE6HC
> [2] https://0x.co/AZ7ZTH
Sorry, I misunderstood your question - I thought you were asking about
/dev/auditpipe.
To be clear:
- praudit is just a tool to print the audit trail files in a human
readable format. It has nothing to do with the events you log.
- /dev/auditpipe allows you monitor what is being logged in real-time.
You may use it like this: `praudit /dev/auditpipe`.
- auditd is an audit log management daemon. If you change configuration
files in /etc/security then you should restart the daemon. If you
modify /etc/security/audit_user specifically, you have to log in and
log out (see audit_user(5)).
This is how to change /etc/security/audit_control to audit everything
you can:
dir:/var/audit
dist:off
flags:all
minfree:5
naflags:all
policy:cnt,argv,arge,seq,
filesz:2M
expire-after:10M
Then if I start auditd and begin monitoring what's being audited with
praudit /dev/auditpipe, I get a constant stream of audit events which
really slows my system.
Does it help you?
Cheers,
-m
More information about the freebsd-hackers
mailing list