The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Operating Systems > Linux > Red Hat
auditd auditd
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
how to disable auditd daemon skumar11 UNIX for Dummies Questions & Answers 2 09-10-2007 04:43 PM

Closed Thread
English Japanese Spanish French German Portuguese Italian Dutch Swedish Russian Norwegian Hungarian Hebrew Danish Bulgarian Greek Powered by Powered by Google
 
LinkBack Thread Tools Search this Thread Rate Thread Display Modes
  #1 (permalink)  
Old 07-11-2007
syndex syndex is offline
Registered User
  
 

Join Date: Jun 2007
Location: Pennsylvania
Posts: 46
Lightbulb auditd
Has anyone used, or set up auditd?

I want to use it to audit critical system files.

Will this be hard, how would I start setting this up?
  #2 (permalink)  
Old 07-13-2007
syndex syndex is offline
Registered User
  
 

Join Date: Jun 2007
Location: Pennsylvania
Posts: 46
Everytime I do

Auditctl -l

I get

linux101:/etc # auditctl -l
No rules
File system watches not supported

Here is my audit.rules

linux101:/etc # cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256



Here is my auditd.conf




lxt-sles101:/etc # cat auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
#dispatcher = /usr/sbin/audispd
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND


What am I doing wrong? .
  #3 (permalink)  
Old 09-01-2008
rlane3907 rlane3907 is offline
Registered User
  
 

Join Date: Jul 2008
Posts: 2
1. Try adding this to audit.conf:
disp_qos - lossy

2. Restart auditd.

The is an auditd mail list with lots of good info: Linux-audit Info Page

good luck!

RIch
Closed Thread

Bookmarks

« Tips to speed up Redhat linux machine | Download Oracle on Linux RHEL5 ?? »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Hybrid Mode Hybrid Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -4. The time now is 02:20 AM.

The UNIX and Linux Forums - Learn UNIX and UNIX Commands RSS Feeds - Contact Us - The UNIX and Linux Forums - Learn UNIX and UNIX Commands - Archive - Top

Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited. Language Translations Powered by .
vBCredits v1.4 Copyright ©2007 - 2008, PixelFX Studios
The UNIX and Linux Forums Content Copyright ©1993-2009. All Rights Reserved.Ad Management by RedTyger

Content Relevant URLs by vBSEO 3.2.0