LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-23-2013, 08:15 AM   #1
Charles Darwin
LQ Newbie
 
Registered: Apr 2013
Posts: 3

Rep: Reputation: Disabled
Auditd file logging not logging daemon processes


Currently I am using Auditd file logging system , but it is not logging the changes done by daemon processes.
Is there any specific rule to do so, or is it not supported ??
 
Old 04-23-2013, 01:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by Charles Darwin View Post
it is not logging the changes done by daemon processes.
What is your current rule set ('auditctl -l'), how early in the boot process is auditd started and what is your test scenario?
 
Old 04-24-2013, 01:46 AM   #3
Charles Darwin
LQ Newbie
 
Registered: Apr 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Ruleset is on root partition itself with read write permissions.
auditd is started with booting of Rootfs , just after kernel boot.
 
Old 04-24-2013, 02:18 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Marvelous: half of my questions answered.
Now, what is your current rule set ('auditctl -l') and what is your test scenario?
*Don't be afraid to ask for clarification if you do not understand what I'm asking for.
 
Old 04-24-2013, 04:56 AM   #5
Charles Darwin
LQ Newbie
 
Registered: Apr 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
"auditctl -l"
>> LIST_RULES: exit,always dir=/ (0x1) perm=w

Test Scenario :
>> List all the process and the file access during bootup for 2mins.

So in this case, I want to know the settings or configurations to capture the daemon process as well.
 
Old 04-24-2013, 07:14 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by Charles Darwin View Post
LIST_RULES: exit,always dir=/ (0x1) perm=w
'man auditctl' says something about how to interpret "-p" usage in general and read and write syscalls specifically.


QUOTE=Charles Darwin;4937829]List all the process and the file access during bootup for 2mins.[/QUOTE]
"for 2mins" isn't related to auditd at all so I won't comment on that. All processes means "anything that gets executed" and "file access" can mean all and any of read, write and execute and I'm sorry to say but your current rule set doesn't cover any of that. The rule sets in the /usr/share/doc/audit*/ directory should give you an idea of what you can start with building your rule set and 'man auditctl' spills all the details. Also note the audit service won't log anything before its rule set gets loaded plus trying to log everything will put quite a strain on the logging system so I do hope there's a darn good reason for doing this (if you're actually trying to solve another problem tell us).


Quote:
Originally Posted by Charles Darwin View Post
I want to know the settings or configurations to capture the daemon process as well.
Sorry but my ESP is particularly low today. Which "daemon process" exactly?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Auditd question - logging exclusions? charliebrownie Linux - Security 3 06-30-2011 01:00 AM
Logging Signals sent to processes gagan_goku Linux - General 1 01-08-2010 01:27 PM
Logging for FTp Daemon wjs1990 Linux - Newbie 5 12-16-2009 03:23 AM
Logging with Start stop daemon bigsness Linux - General 0 01-19-2005 04:25 PM
daemon logging- how do I? jimieee Linux - General 1 09-17-2003 10:45 AM


All times are GMT -5. The time now is 02:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration