[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit-0.6.7 released



Hi Steve,

On this version of audit-0.6.7, I noticed when you first start auditd, if you do
"service auditd start"
"auditctl -s"
It returns: "AUDIT_STATUS: enabled=1 flag=1 pid=6695 rate_limit=0 backlog_limit=64 lost=0 backlog=0"

But I'm not sure that enabled really is 1. Because if you start adding rules and executing syscalls, the audit records go to /var/log/messages instead of /var/log/audit.log.
But if you do:
"service auditd start"
"auditctl -s" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723 rate_limit=0 backlog_limit=64 lost=0 backlog=0"
"auditctl -e 1" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723 rate_limit=0 backlog_limit=64 lost=0 backlog=0")
Add rules and execute syscalls. Then the audit records will go to /var/log/audit.log.

This also occurs on audit-0.6.6 but not on audit-0.6.4. With audit-0.6.4, audit records will go to /var/log/audit.log without having to set "auditctl -e 1" after doing the restart.

Note, I observed this behavior with most , but not all of the syscalls I tried. 'chmod' is one example. But 'open' seems to always go to /var/log/audit.log, regardless of whether or not I did the 'auditctl -e 1'.

-debbie
Inactive hide details for Steve Grubb <sgrubb redhat com>Steve Grubb <sgrubb redhat com>


          Steve Grubb <sgrubb redhat com>
          Sent by: linux-audit-bounces redhat com

          03/09/2005 06:02 PM

          Please respond to
          Linux Audit Discussion

To

Linux Audit Discussion <linux-audit redhat com>

cc


Subject

audit-0.6.7 released

Hello,

The next version of the audit daemon has been released. You can get it from:
http://people.redhat.com/sgrubb/audit/  or in rawhide tomorrow morning. This
release fixes a bug in setting the loginuid and adds a new feature.

There is now a configuration option num_files for auditd.conf. This lets you
specify how many logs you want the program to allow when it rotates them due
to their size. If you set it to 5, you will get audit.log to audit.log.4 in
the /var/logs directory.

The new release should be in rawhide tomorrow morning. Let me know if there
are any problems.

-Steve Grubb

--
Linux-audit mailing list
Linux-audit redhat com
http://www.redhat.com/mailman/listinfo/linux-audit

GIF image

GIF image

GIF image


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]