Hi Steve,
On this version of audit-0.6.7, I noticed when you first start auditd, if
you do
"service auditd start"
"auditctl -s"
It returns: "AUDIT_STATUS: enabled=1 flag=1 pid=6695 rate_limit=0
backlog_limit=64 lost=0 backlog=0"
But I'm not sure that enabled really is 1. Because if you start adding
rules and executing syscalls, the audit records go to /var/log/messages
instead of /var/log/audit.log.
But if you do:
"service auditd start"
"auditctl -s" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723
rate_limit=0 backlog_limit=64 lost=0 backlog=0"
"auditctl -e 1" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723
rate_limit=0 backlog_limit=64 lost=0 backlog=0")
Add rules and execute syscalls. Then the audit records will go to
/var/log/audit.log.
This also occurs on audit-0.6.6 but not on audit-0.6.4. With audit-0.6.4,
audit records will go to /var/log/audit.log without having to set "auditctl
-e 1" after doing the restart.
Note, I observed this behavior with most , but not all of the syscalls I
tried. 'chmod' is one example. But 'open' seems to always go to
/var/log/audit.log, regardless of whether or not I did the 'auditctl -e 1'.
-debbie
Steve Grubb
<sgrubb(a)redhat.co
m> To
Sent by: Linux Audit Discussion
linux-audit-bounc <linux-audit(a)redhat.com>
es(a)redhat.com cc
Subject
03/09/2005 06:02 audit-0.6.7 released
PM
Please respond to
Linux Audit
Discussion
Hello,
The next version of the audit daemon has been released. You can get it
from:
http://people.redhat.com/sgrubb/audit/ or in rawhide tomorrow morning.
This
release fixes a bug in setting the loginuid and adds a new feature.
There is now a configuration option num_files for auditd.conf. This lets
you
specify how many logs you want the program to allow when it rotates them
due
to their size. If you set it to 5, you will get audit.log to audit.log.4 in
the /var/logs directory.
The new release should be in rawhide tomorrow morning. Let me know if there
are any problems.
-Steve Grubb
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit