[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Newbie: How to use auditd?



Dear linux-audit people,

I'm recently converted to Fedora3 from Slackware and I'm very new
to this linux audit stuff, I really need help on this.
I'm working on some user space audit logging stuff which does
capture both netfilter's ulog and audit for my own project.
First off, I tried auditd to understand how audit facility works
in user space. But since there's lack of info,  I have no idea
how to use it first of all. I followed readme's example below:

===>
Examples:

  General:

    Window 1:
        ./auditd
    Window 2 (you don't have to have the daemon running to try this, but
    enabled has to be 1):
        ./auditctl -s
        ./auditctl -a entry,always -S open
        ls
        ./auditctl -d entry,always -S open


  Identity tracking:
        ./auditctl -a exit,always -S all -F loginuid=2000
        ./auditctl -L 2000,"test uid"
<===

Nothing worked. The auditd stuck at pthread_cond_wait() call.
Maybe I need some policy setting to make it work?
I tried strict policy too but it was same though I got avc
error that some of auditd's requests were rejected.
I ran aduitd and auditctl under sysadm_r:sysadm_t.
Am I missing something very important thing at first place?
Please enlighten me how to use auditd and more info on
linux audit facility, such as policy settings if required?

Thank you,

-- Junji Kanemaru
Linuon Inc.
Tokyo Japan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]