Hey all,
os: sles 11 sp1 with all patches/updates installed.
Im looking to monitor and log (to syslog) user events. Im not interested in system calls, just looking to know if a user is reading writing executing certain files/executable.
The problem is, it seem auditd is good for all or nothing when it comes to writing to a log and I am wondering if I am missing something to the config?
I have syslog enabled with audispd and it works fine.
auditd.conf
Code:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
audit.rules
Code:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192
-f 1
-e 1
-w /etc/passwd
The above logs every single sys call and anything that touchs passwd. Once again, I do not want to see the syscalls.
Is there a way to set it so syscalls are disabled? so Im not flooding the network with logs being relayed to the log server.