Newbie: How to use auditd?
Linux
linux at linuon.com
Tue Dec 21 15:09:42 UTC 2004
Dear linux-audit people,
I'm recently converted to Fedora3 from Slackware and I'm very new
to this linux audit stuff, I really need help on this.
I'm working on some user space audit logging stuff which does
capture both netfilter's ulog and audit for my own project.
First off, I tried auditd to understand how audit facility works
in user space. But since there's lack of info, I have no idea
how to use it first of all. I followed readme's example below:
===>
Examples:
General:
Window 1:
./auditd
Window 2 (you don't have to have the daemon running to try this, but
enabled has to be 1):
./auditctl -s
./auditctl -a entry,always -S open
ls
./auditctl -d entry,always -S open
Identity tracking:
./auditctl -a exit,always -S all -F loginuid=2000
./auditctl -L 2000,"test uid"
<===
Nothing worked. The auditd stuck at pthread_cond_wait() call.
Maybe I need some policy setting to make it work?
I tried strict policy too but it was same though I got avc
error that some of auditd's requests were rejected.
I ran aduitd and auditctl under sysadm_r:sysadm_t.
Am I missing something very important thing at first place?
Please enlighten me how to use auditd and more info on
linux audit facility, such as policy settings if required?
Thank you,
-- Junji Kanemaru
Linuon Inc.
Tokyo Japan
More information about the Linux-audit
mailing list