Discussion:
Using Audit Framework and praudit
(too old to reply)
mokhi
2016-10-06 17:00:20 UTC
Permalink
Hi guys.
For using "The audit framework", should I rebuild my kernel to use
"praudit" to log exec or syscall events ?
I used the way that handbook says to use praudit, but it only shows me
logs on authentications with "su" and stop/starting "auditd" service,
and there's no any other logs.
Any ideas what other things should i do ?

Best wishes, Mokhi.
Mateusz Piotrowski
2016-10-06 19:20:09 UTC
Permalink
Hi,
Post by mokhi
For using "The audit framework", should I rebuild my kernel to use
"praudit" to log exec or syscall events ?
I used the way that handbook says to use praudit, but it only shows me
logs on authentications with "su" and stop/starting "auditd" service,
and there's no any other logs.
I guess that there's no need to recompile anything since your praudit
seems to be working as expected.
Post by mokhi
Any ideas what other things should i do ?
Are you sure you've modified /etc/security/audit_control? It's the file
where you can configure what events the system should log.

See audit_control(5) and the handbook[1] for more details.

Cheers,

-m

[1]: https://www.freebsd.org/doc/handbook/audit-config.html
mokhi
2016-10-07 09:27:23 UTC
Permalink
Hi,
Thanks for the answer.

I saw audit_control(5) and the handbook entry for audit.

My `/etc/security/audit_control` and `/etc/security/audit_user` is
pasted on [1] and [2]
I guess my changes (flags:all) should make it auditing all events on
success and fails.
Would you please explain me my misunderstanding if there's any?

Best wishes, Mokhi.
============================
[1] https://0x.co/7PE6HC
[2] https://0x.co/AZ7ZTH
mokhi
2016-10-07 14:06:11 UTC
Permalink
My `/etc/security/audit_control` is similar to what you've suggested.
But i can not see nothing when i do `praudit /dev/auditpipe` except
when i do `su` on another terminal tab.

Any ideas?

Best wishes, Mokhi.
Mateusz Piotrowski
2016-10-07 14:25:21 UTC
Permalink
Post by mokhi
My `/etc/security/audit_control` is similar to what you've suggested.
But i can not see nothing when i do `praudit /dev/auditpipe` except
when i do `su` on another terminal tab.
Have you tried to restart auditd with `service auditd restart` or
rebooting? If you have then I've got no idea what's wrong with your
configuration.
mokhi
2016-10-07 14:33:19 UTC
Permalink
I tried `service auditd restart`.
But nothing changed. :(

I'm using FreeBSD10.3 if it helps.
mokhi
2016-10-07 15:55:45 UTC
Permalink
I just rebooted my system.
No changes on behavior of `praudit /dev/auditpipe` (still just writes
`su` events)

Still do you think there's no need to rebuild kernel?

Best wishes, Mokhi.
mokhi
2016-10-07 16:13:04 UTC
Permalink
Ah, it works now :)

I forgot to change `naflags` flag.

Thanks for helps (and sorry if my fault made confusings)

Best wishes, Mokhi.

Mateusz Piotrowski
2016-10-07 14:49:42 UTC
Permalink
Hi,
Post by mokhi
I saw audit_control(5) and the handbook entry for audit.
My `/etc/security/audit_control` and `/etc/security/audit_user` is
pasted on [1] and [2]
I guess my changes (flags:all) should make it auditing all events on
success and fails.
Would you please explain me my misunderstanding if there's any?
[1] https://0x.co/7PE6HC
[2] https://0x.co/AZ7ZTH
Sorry, I misunderstood your question - I thought you were asking about
/dev/auditpipe.

To be clear:

- praudit is just a tool to print the audit trail files in a human
readable format. It has nothing to do with the events you log.
- /dev/auditpipe allows you monitor what is being logged in real-time.
You may use it like this: `praudit /dev/auditpipe`.
- auditd is an audit log management daemon. If you change configuration
files in /etc/security then you should restart the daemon. If you
modify /etc/security/audit_user specifically, you have to log in and
log out (see audit_user(5)).

This is how to change /etc/security/audit_control to audit everything
you can:

dir:/var/audit
dist:off
flags:all
minfree:5
naflags:all
policy:cnt,argv,arge,seq,
filesz:2M
expire-after:10M

Then if I start auditd and begin monitoring what's being audited with
praudit /dev/auditpipe, I get a constant stream of audit events which
really slows my system.

Does it help you?

Cheers,

-m
Loading...