Hello all,

I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and USER_LOGIN record types at all, Only USER_LOGIN types.

As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html

On another server with kernel version 4.9 it works properly. Is there a possibility that this Audit functionality is not implemented in kernel version 3.2, or is this just a configuration issue on my side?

We have too many Debian 3.x production servers to consider kernel upgrade being an option.

If it's a kernel issue, could you please recommend any workaround? Currently I am thinking on parsing the auth.log

Many thanks,
Robert

auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key